Pidgin MSN memory corruption issue

Mark Doliner mark at kingant.net
Mon Feb 8 05:34:41 EST 2010 

On Mon, Feb 8, 2010 at 1:28 AM, Mark Doliner <mark at kingant.net> wrote:
> I finally had time to look at this.  Using the proof of concept code I
> can trigger 3 errors from valgrind memcheck.  Elliott's patch
> (attached again here, for convenience) fixes the more serious two.
> The remaining problem is "Conditional jump or move depends on
> uninitialised value(s)."  I'm not sure if it's harmful, but I think it
> makes sense to fix it now.

I think I forgot to attach Elliott's original patch.  Anyhoo, here's
his patch (the changes to slp.c) plus my proposed changes to fix the
uninitialized value access (the changes to slplink.c and slpcall.c).

Here's the valgrind log from the uninitialized value access:
==9054== Conditional jump or move depends on uninitialised value(s)
==9054==    at 0x4C26335: strncpy (mc_replace_strmem.c:329)
==9054==    by 0x92D8589: g_strndup (in /lib/libglib-2.0.so.0.2200.3)
==9054==    by 0x10D46C9A: msn_slp_process_msg (slpcall.c:260)
==9054==    by 0x10D48151: msn_slplink_process_msg (slplink.c:624)
==9054==    by 0x10D45B19: msn_p2p_msg (slp.c:884)
==9054==    by 0x10D26B9A: msn_cmdproc_process_msg (cmdproc.c:312)
==9054==    by 0x10D4C6EC: msg_cmd_post (switchboard.c:805)
==9054==    by 0x10D2685F: msn_cmdproc_process_payload (cmdproc.c:239)
==9054==    by 0x10D43377: msn_servconn_process_data (servconn.c:487)
==9054==    by 0x10D2E183: read_cb (httpconn.c:343)
==9054==    by 0x47B82F: pidgin_io_invoke (gtkeventloop.c:78)
==9054==    by 0x92B6BCD: g_main_context_dispatch (in
/lib/libglib-2.0.so.0.2200.3)

The problem was that the proof of concept says the body of the SLP
message will be a certain size, but it doesn't send any data as the
body.  msn_slplink_process_msg uses g_try_malloc to allocate the
appropriate sized buffer, but nothing is ever written into the buffer.
 Then msn_slp_process_msg tries to strdup the whole thing.  So
instead, use the "offset" variable (previously only used for outgoing
messages *I think*) to keep track of how much data has actually been
written to the buffer.

--Mark
-------------- next part --------------
A non-text attachment was scrubbed...
Name: pidgin-CVE-2010-0277_take2.diff
Type: text/x-patch
Size: 3029 bytes
Desc: not available
URL: <http://pidgin.im/cgi-bin/mailman/private/security/attachments/20100208/50fa1481/attachment.bin>

More information about the security mailing list