XMMP/Jabber clients DoS vulnerability report

Mark Doliner mark at kingant.net
Mon Feb 15 00:50:35 EST 2010 

On Fri, Feb 12, 2010 at 7:49 AM, Ethan Blanton <elb at pidgin.im> wrote:
> Mark Doliner spake unto us the following wisdom:
>> On Wed, Feb 10, 2010 at 6:25 AM, Ethan Blanton <elb at pidgin.im> wrote:
>> > Mark Doliner spake unto us the following wisdom:
>> >> How does the attached patch look to people?  It sets a limit of 200
>> >> smileys per GtkIMHtml by keeping a counter using g_object_get_data and
>> >> g_object_set_data.  200 is fairly arbitrary.  My computer can handle
>> >> more, but my computer is fairy fast.  I suspect some of our users will
>> >> hit the 200 limit because, well, you know our users :-), but I also
>> >> suspect that 200 is more than enough for any reasonable conversation.
>> >
>> > Does each smiley rendering become progressively slower, or something?
>> > I would be inclined to account this per-IM, not per-IMHtml.  If an
>> > IMHtml is getting generally slow, people have time to close the window
>> > and open a new one; if a single IM is loaded up with smileys and
>> > unusably slow, that's a different matter.
>>
>> I'm not sure if each smiley rendering becomes progressively slower.  I
>> feel like it might, but I didn't look at the code very closely.  It
>> does seem like the slowness happens when adding the smileys to the
>> GtkText, so having a per-IM limit might be sufficient.  What if we had
>> both?  Maybe a limit of 500 smileys total and a limit of 15 per call
>> to gtk_imhtml_insert_html_at_iter?  I haven't tried to smaller limit,
>> so it may not be easy.
>
> My inclination is to not limit the conversation total, as people who
> leave their conversations open for long periods of time will hit the
> limit and have no idea why.  Per-IM sort of has this problem, too, but
> it's not something which will arbitrarily crop up at some time and
> never go away, if you know what I mean.
>
> Maybe I overanalyze.

Each smiley rendering does become progressively slower, but only a wee
bit.  The bigger problem is when a single message contains many
smileys (although I have no idea why--this seems weird to me).

Revised patch is attached.  It adds a limit of 30 smileys per call to
gtk_imhtml_insert_smiley_at_iter, which is called once to insert the
text of each IM.  I kept the per-conversation limit but increased it
to 300.  If there are no objections I'll put this in the 2.6.6 tarball
that I build tomorrow night, and will mtn push on Thursday.

I also noticed that gtk_imhtml_insert_smiley_at_iter looks up the
smiley in the smiley trees twice.  The first time when it calls
gtk_imhtml_smiley_get, the second time when it calls
gtk_smiley_tree_image which calls gtk_imhtml_smiley_get.  So I fixed
that, but I don't think that's the main cause of this slowness.

--Mark
-------------- next part --------------
A non-text attachment was scrubbed...
Name: CVE-2010-0423.diff
Type: text/x-patch
Size: 4362 bytes
Desc: not available
URL: <http://pidgin.im/cgi-bin/mailman/private/security/attachments/20100214/38b6c447/attachment.bin>

More information about the security mailing list