No subject
Sun Dec 12 06:24:10 EST 2010
#4 msn_slplink_process_msg (slplink=0x2effe90, part=0x0) at slplink.c:580
slpmsg = <value optimized out>
header = <value optimized out>
offset = <value optimized out>
#5 0x00007f4c518f3045 in msn_dc_process_packet (data=0x2e5cd60, fd=<value optimized out>, cond=<value optimized out>) at directconn.c:635
part = 0x0
I haven't looked at this in any detail and probably won't have time to
anytime soon, but it looks like if msn_dc_process_packet() is called
with a short packet when in state DC_STATE_ESTABLISHED,
msn_slpmsgpart_new_from_data() will return NULL "part" if the packet is
smaller than the size of MsnP2PHeader struct, which is then dereferenced
by msn_slplink_process_msg().
Someone more familiar with MSN direct connections would need to
determine why msn_dc_process_packet() is being called with a short
packet. Simple "fix" might be to add NULL check on "part" in
msn_slplink_process_msg() but that smells like papering over the actual
problem.
Regards,
Stu.
More information about the security
mailing list