ZDI-CAN-338: libpurple MSN Protocol SLP Message Heap Overflow Vulnerability

Richard Laager rlaager at pidgin.im
Thu Jun 26 12:43:25 EDT 2008


On Tue, 2008-05-27 at 10:01 -0700, zdi-disclosures at 3com.com wrote:
> The bug is in libpurple/protocols/msn/slplink.c in the
> msn_slplink_process_msg function:
>
> void msn_slplink_process_msg(MsnSlpLink *slplink, MsnMessage *msg){
>    gsize offset;    
> ...
>    offset = msg->msnslp_header.offset; [ 1 ]
> ...
>        slpmsg->size = msg->msnslp_header.total_size;
> ...
>            slpmsg->buffer = g_try_malloc(slpmsg->size);
> ...
>        if ((offset + len) > slpmsg->size) [ 2 ]
>        {
>            purple_debug_error("msn", "Oversized slpmsg\n");
>            g_return_if_reached();
>        }
>        else
>            memcpy(slpmsg->buffer + offset, data, len); [ 3 ]
>
> If offset = -1 * len, then the check at [ 2 ] will pass because offset
> + len = 0.  The memcpy at [ 3 ] will then write (-1 * len) bytes
> *before* the memory allocated to slpmsg->buffer.  This allows you to
> overwrite malloc_chunk structures or application structures which are
> within len bytes of slpmsg->buffer.

Another developer noticed this:
offset and len are both of type gsize, which is unsigned. Therefore,
neighter can be negative, so this shouldn't be possible.

Are we missing something?

Richard
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: This is a digitally signed message part
Url : http://pidgin.im/cgi-bin/mailman/private/packagers/attachments/20080626/b64a8e77/attachment.pgp 


More information about the Packagers mailing list