ZDI-CAN-338: libpurple MSN Protocol SLP Message Heap Overflow Vulnerability

Mark Doliner mark at kingant.net
Thu Jun 26 13:55:19 EDT 2008


On Thu, 26 Jun 2008 13:44:43 -0400, Sadrul Habib Chowdhury wrote
> * Richard Laager had this to say on [26 Jun 2008, 12:28:38 -0500]:
> > On Thu, 2008-06-26 at 12:14 -0500, Mark Doliner wrote:
> > > I think the vulnerability is valid, but I think our fix needs to make sure
> > > we're not wrapping back to 0.
> > 
> > Any idea on the right way to do that?
> >
> 
> Looks like msg.c:msn_message_parse_slp_body is where both the offset
> and the length are set. Perhaps we should validate the data in there.
> But as always, I think a backtrace from the crash would help a lot.
> 
> Sadrul

How about the attached patch?  If we think it looks good could someone check
it in?  I guess it might be good to test it, too.  I'll be pretty busy for at
least the next few hours.

The change is basically:
- if ((offset + len) > slpmsg->size)
+ if (G_MAXSIZE - len < offset || (offset + len) > slpmsg->size)

The technique to check for overflow is from http://c-faq.com/misc/intovf.html

-Mark
-------------- next part --------------
A non-text attachment was scrubbed...
Name: second_attempt.diff
Type: text/x-diff
Size: 1642 bytes
Desc: not available
Url : http://pidgin.im/cgi-bin/mailman/private/packagers/attachments/20080626/395c7b9f/attachment.diff 


More information about the Packagers mailing list