ICQ excessive memory allocation again

Jan Kaluza hanzz.k at gmail.com
Fri Feb 26 19:10:26 EST 2010 

Hi,
I'm using libpurple as network library for my XMPP Transport. I think
I have similar problem to one security issue which should be already
fixed in 2.5.8 ( http://pidgin.im/news/security/?id=33 ). I think I
don't have to describe my problem more, because symptoms are basically
the same as in mentioned issue. Unfortunately I can't say what client
caused it. I'm using libpurple 2.6.5. I will keep the core dump and
current binary for required time, so feel free to ask me for more
informations.

These are last few lines of the debug log:
[02/26/10 10:01:05] <libpurple/oscar> incomingim_ch1: unknown TLV
0x000d (len 40)
[02/26/10 10:01:05] <libpurple/oscar> Received IM from 442406467 with 1 parts
[02/26/10 10:01:05] <libpurple/oscar> Parsing IM part, charset=0x0002,
charsubset=0x0026, datalen=122, choice1=UTF-16BE, choice2=UTF-8,
choice3=
[02/26/10 10:01:05] <libpurple/oscar> Received a channel 4 message of type 0x1a.

GLib-ERROR **: gmem.c:135: failed to allocate 3137339393 bytes
aborting...


Backtrace:
(gdb) bt full
#0  0xb7785947 in raise () from /lib/tls/libc.so.6
No symbol table info available.
#1  0xb77870c9 in abort () from /lib/tls/libc.so.6
No symbol table info available.
#2  0xb7d06074 in g_logv () from /usr/lib/libglib-2.0.so.0
No symbol table info available.
#3  0xb7d060a9 in g_log () from /usr/lib/libglib-2.0.so.0
No symbol table info available.
#4  0xb7d04d0a in g_malloc () from /usr/lib/libglib-2.0.so.0
No symbol table info available.
#5  0xb7052239 in byte_stream_getstr (bs=0xbf84fefc, len=-1157627903)
at bstream.c:201
        ob = 0x0
#6  0xb7078bce in purple_parse_incoming_im (od=0x11a818f8,
conn=0x11a73aa8, fr=0x11a73ae8) at oscar.c:3040
        smsmsg = <value optimized out>
        xmlroot = <value optimized out>
        xmltmp = <value optimized out>
        message = <value optimized out>
        qbs = {data = 0x11b23d00 "", len = 228, offset = 38}
        tagstr = 0x11b6a890 ""
        uin = <value optimized out>
        channel = <value optimized out>
        ret = <value optimized out>
        userinfo = (aim_userinfo_t *) 0xbf84ffc4
        ap = 0xbf84ff38
"o\201\210f0\225�4�\201c\200f}^TgN at Y\222\177W��(|���\204�~G73gN�\231�i�\037+\230\212iD\001\205�\022+0�Q"
#7  0xb705a645 in incomingim (od=0x11a818f8, conn=0x11a73aa8,
mod=<value optimized out>, frame=0x11a73ae8, snac=0xbf8502e0,
bs=0x11a73aec) at family_icbm.c:2233
        tlvlist = (GSList *) 0x11b36028
        ret = 0
        cookie = (guchar *) 0x101879f0 "�\221\030�\235\231lF\020"
        channel = <value optimized out>
        userinfo = {bn = 0x11b0cad8 "442406467", warnlevel = 0,
idletime = 0, flags = 80, createtime = 0, membersince = 0, onlinesince
= 1267174865, sessionlen = 0,
  capabilities = 0, icqinfo = {status = 0, ipaddr = 0, crap =
"\000\000\000\000\000\000\000\000\006\000\a", '\0' <repeats 25
times>}, present = 69, iconcsumtype = 0 '\0',
  iconcsumlen = 0, iconcsum = 0x0, info = 0x0, info_encoding = 0x0,
info_len = 0, status = 0x0, status_encoding = 0x0, status_len = 0,
itmsurl = 0x0, itmsurl_encoding = 0x0,
  itmsurl_len = 0, away = 0x0, away_encoding = 0x0, away_len = 0, next = 0x0}
#8  0xb705cb59 in snachandler (od=0x11a818f8, conn=0x11a73aa8,
mod=0x4dff, frame=0x11a73ae8, snac=0xbf8502e0, bs=0x11a73aec) at
family_icbm.c:2848
No locals.
#9  0xb706749f in flap_connection_recv (conn=0x11a73aa8) at
flap_connection.c:790
        flap_version = <value optimized out>
        buf = <value optimized out>
        buflen = <value optimized out>
        read = <value optimized out>
#10 0xb7ddd6dd in recv_cb (data=0x11b0e7c8, source=2153,
cond=PURPLE_INPUT_READ) at sslconn.c:155
No locals.
#11 0x080d1d61 in io_invoke (source=0x11b14530, condition=G_IO_IN,
data=0x11b1cc78) at /home/hanzz/spectrum/src/geventloop.cpp:48
        closure = (PurpleIOClosure *) 0x11b1cc78
        purple_cond = PURPLE_INPUT_READ
        tmp = 1
---Type <return> to continue, or q <return> to quit---
#12 0xb7d26c7f in g_io_channel_unix_get_fd () from /usr/lib/libglib-2.0.so.0
No symbol table info available.
#13 0xb7cfd731 in g_main_context_dispatch () from /usr/lib/libglib-2.0.so.0
No symbol table info available.
#14 0xb7d007a6 in g_main_context_check () from /usr/lib/libglib-2.0.so.0
No symbol table info available.
#15 0xb7d00b67 in g_main_loop_run () from /usr/lib/libglib-2.0.so.0
No symbol table info available.
#16 0x080e5e7a in GlooxMessageHandler (this=0x818e800,
config=@0xbf850560) at /home/hanzz/spectrum/src/main.cpp:928
No locals.
#17 0x080e620f in main (argc=2, argv=0xbf850604) at
/home/hanzz/spectrum/src/main.cpp:1841
        config = {static npos = 4294967295, _M_dataplus =
{<std::allocator<char>> = {<__gnu_cxx::new_allocator<char>> = {<No
data fields>}, <No data fields>},
    _M_p = 0x818e37c "highflyer.cfg"}}
        error = (GError *) 0x0
        context = (GOptionContext *) 0x818e210


Thanks for help
Jan Kaluza

More information about the security mailing list