No subject

Sun Dec 12 06:24:10 EST 2010

#4  msn_slplink_process_msg (slplink=0x2effe90, part=0x0) at slplink.c:580
        slpmsg = <value optimized out>
        header = <value optimized out>
        offset = <value optimized out>
#5  0x00007f4c518f3045 in msn_dc_process_packet (data=0x2e5cd60, fd=<value optimized out>, cond=<value optimized out>) at directconn.c:635
        part = 0x0

I haven't looked at this in any detail and probably won't have time to
anytime soon, but it looks like if msn_dc_process_packet() is called
with a short packet when in state DC_STATE_ESTABLISHED,
msn_slpmsgpart_new_from_data() will return NULL "part" if the packet is
smaller than the size of MsnP2PHeader struct, which is then dereferenced
by msn_slplink_process_msg().

Someone more familiar with MSN direct connections would need to
determine why msn_dc_process_packet() is being called with a short
packet. Simple "fix" might be to add NULL check on "part" in
msn_slplink_process_msg() but that smells like papering over the actual



More information about the security mailing list