ZDI-CAN-338: libpurple MSN Protocol SLP Message Heap Overflow Vulnerability

Mark Doliner mark at kingant.net
Thu Jun 26 18:18:30 EDT 2008


On Thu, 26 Jun 2008 15:11:43 -0400, Stu Tomlinson wrote
> On Thu, 2008-06-26 at 12:55 -0500, Mark Doliner wrote:
> > On Thu, 26 Jun 2008 13:44:43 -0400, Sadrul Habib Chowdhury wrote
> > > * Richard Laager had this to say on [26 Jun 2008, 12:28:38 -0500]:
> > > > On Thu, 2008-06-26 at 12:14 -0500, Mark Doliner wrote:
> > > > > I think the vulnerability is valid, but I think our fix needs to
make sure
> > > > > we're not wrapping back to 0.
> > > > 
> > > > Any idea on the right way to do that?
> > > >
> > > 
> > > Looks like msg.c:msn_message_parse_slp_body is where both the offset
> > > and the length are set. Perhaps we should validate the data in there.
> > > But as always, I think a backtrace from the crash would help a lot.
> > > 
> > > Sadrul
> > 
> > How about the attached patch?  If we think it looks good could someone check
> > it in?  I guess it might be good to test it, too.  I'll be pretty busy for at
> > least the next few hours.
> 
> Looks good to me, and I confirmed it fixes the crash (whereas the
> previous fix did not). I checked it in (sortof, I didn't actually
> realize you attached a patch before I'd committed half of it 
> manually).

Sweet, thanks.

-Mark



More information about the Packagers mailing list