ZDI-CAN-338: libpurple MSN Protocol SLP Message Heap Overflow Vulnerability

Sadrul Habib Chowdhury imadil at gmail.com
Thu Jun 26 13:44:43 EDT 2008

* Richard Laager had this to say on [26 Jun 2008, 12:28:38 -0500]:
> On Thu, 2008-06-26 at 12:14 -0500, Mark Doliner wrote:
> > I think the vulnerability is valid, but I think our fix needs to make sure
> > we're not wrapping back to 0.
> Any idea on the right way to do that?

Looks like msg.c:msn_message_parse_slp_body is where both the offset
and the length are set. Perhaps we should validate the data in there.
But as always, I think a backtrace from the crash would help a lot.


More information about the Packagers mailing list