Fwd: FYI: Remote DOS in Pidgin 2.2.0 over MSN

Luke Schierer lschiere at pidgin.im
Thu Sep 27 20:43:58 EDT 2007

----- Forwarded message from Evan Schoenberg <evands at pidgin.im> -----

Date: Thu, 27 Sep 2007 20:38:50 -0400
From: Evan Schoenberg <evands at pidgin.im>
To: Sean Egan <seanegan at gmail.com>, Mark Doliner <mark at kingant.net>
Cc: Luke Schierer <lschiere at pidgin.im>
Subject: FYI: Remote DOS in Pidgin 2.2.0 over MSN

An MSN nudge sent from a previously unknown buddy causes an immediate  
crash in libpurple 2.2.0.  I fixed this in  
a5dd91b5d76972cf72a56209503c7e32d71c6e3c - I wasn't sure how best to  
note the fix without advertising the DOS, so my log message:

serv_got_attention() doesn't expect an escaped string; it just wants a  
name. The str variable was unused.

is true but incomplete, as I didn't note that this also fixes the  
crash.  With the previous code, buddy was NULL for an unknown remote  
user; NULL was then dereferenced to get the name for passing to  

What's the proper protocol for handling this sort of thing?


----- End forwarded message -----

More information about the Packagers mailing list