fix for MSN file transfer crash (CVE-2008-2955)

Mon Jul 7 06:48:49 EDT 2008

Hallo.

I got a report on an MSN invalid file name triggered crash of receiving
side.

As I did not found a fix nor a bug report anywhere in the pidgin bug
tracker, I tried to fix it.

Here is my attempt:
http://developer.pidgin.im/ticket/6246

I am not a pidgin expert, so the fix may be incorrect, but it fixed the
crash for me.

File receive in msn_slplink_process_msg() calls purple_xfer_start() and
then it copies dest_fp file descriptor to a private structure without
further checks checking.

In case, if destination file open fails for any reason,
purple_xfer_start() calls purple_xfer_cancel_local(), and it 
calls purple_xfer_unref() on the whole xfer structure.

Subsequent xfer->dest_fp then tries to access released memory.

I am not sure, why MSN code clones file descriptor to its own structures
- libpurple provides its own file writing callback.

It seems to have lower severity than reported - malicious sender can
cause failure only by choosing invalid (e. g. too long) file name.

the problem can be triggered even when sending from pidgin to pidgin -
file name suggested in the PoC has the maximal length on the sender
side, but maximal length + 1 on the receiving side. I did not searched
in deep, why it is one byte longer - maybe it's caused by glib filename
encoding code.

References:
CVE-2008-2955
BUGTRAQ:20080626 Pidgin
2.4.1 Vulnerability
FRSIRT:ADV-2008-1947
SECUNIA:30881

-- 
Best Regards / S pozdravem,

Stanislav Brabec
software developer
---------------------------------------------------------------------
SUSE LINUX, s. r. o.                          e-mail: sbrabec at suse.cz
Lihovarská 1060/12           tel: +420 284 028 966, +49 911 740538747
190 00 Praha 9                                  fax: +420 284 028 951
Czech Republic                                    http://www.suse.cz/