Msn Icon DOS on 2.6.5

[Pierre Noguès]

Hello,

I discovered a low severity vulnerability which can lead to a remote dos of pidgin. This 
vulnerability can't be exploited to lead to a remote code execution. Tested on 2.6.5.

The vulnerability is located in slp.c here :

     msn_emoticon_msg(MsnCmdProc *cmdproc, MsnMessage *msg){

         //...
         tokens = g_strsplit(body_str, "\t", 10);
         //tokens can be null !

         //...
		if (tokens[tok] == NULL || tokens[tok + 1] == NULL) {
                 //ref NULL pointer => CRASH

When msg doesn't contain '\t' char in his body, g_strsplit return NULL, this NULL pointer is 
referenced in READ ACCESS in the for loop. That's why it crash.

Backtrace:
     #0  0x00007f54b6de3473 in msn_emoticon_msg () from /usr/lib/purple-2/libmsn.so
     #1  0x00007f54b6dcbb32 in msn_cmdproc_process_msg () from /usr/lib/purple-2/libmsn.so
     #2  0x00007f54b6de80e4 in ?? () from /usr/lib/purple-2/libmsn.so
     #3  0x00007f54b6de1e7c in msn_servconn_process_data () from /usr/lib/purple-2/libmsn.so
     #4  0x00007f54b6de2022 in ?? () from /usr/lib/purple-2/libmsn.so
     #5  0x000000000046661e in ?? ()
     #6  0x00007f54cae7820a in g_main_context_dispatch () from /usr/lib/libglib-2.0.so.0
     #7  0x00007f54cae7b8e0 in ?? () from /usr/lib/libglib-2.0.so.0
     #8  0x00007f54cae7bdad in g_main_loop_run () from /usr/lib/libglib-2.0.so.0
     #9  0x00007f54cc02abc7 in gtk_main () from /usr/lib/libgtk-x11-2.0.so.0
     #10 0x000000000047dc83 in main ()

Solution:
Check if tokens isn't null before entering in the loop.

Reproduce the bug:
Just send a mime message with content-type "text/x-mms-emoticon" and no icon. It will crash.

Thanks you for providing this free software.

-- 
Pierre Noguès - Meta Security
Consultant en sécurité

http://meta-security.com
40 rue Albéric de Calonne - 80 000 Amiens