Remotely-triggerable crash in oscar xstatus code
Paul Aurich
paul at darkrain42.org
Wed Jul 14 13:44:50 EDT 2010
On 2010-07-14 00:46, Mark Doliner wrote:
> Great, thanks guys! I'll email packagers in a few minutes. See two
> notes inline below.
>
>> It looks like there are two xstatus updates back-to-back. I can't
>> recognize SNAC-framing-in-octal, so I can't tell if that's two SNAC
>> packets smooshed together or just two xstatus updates, but if it's the
>> latter, the code doesn't handle it (and if it's the former, I think
>> that's a bug somewhere else in the prpl)
>
> Yeah I don't know what's up with that dump. The two xstatus strings
> look mostly the same, right, but the first one is cut off? I wonder
> if that variable just isn't null terminated or something? Or maybe
> it's already been freed, and that memory just happens to contain the
> xstatus message twice for some reason?
Yeah, they do look like a truncated copy and another copy (the second of
which still isn't parseable XML!)
Based on some of the debugging details I left out, I don't think it's an
issue of reading past the end of the variable. Here's the pastebin
(reproduced below for posterity/because pastie.org is having issues):
http://pastie.org/1043608
The ByteStream reports its length as 1412, and that's how many bytes
worth of the data is being printed, so I don't think this is
uninitialized memory. While it's definitely odd, I don't think it's
sufficiently related to the crash, so I'll a ticket for this (after the
embargo), and probably one for dealing with "\r\n" (I suspect they need
to be translated into newlines)
~Paul
(gdb) bt full
#0 0xb722a493 in snachandler (od=0xafed2af0, conn=0x9c9b33a0,
mod=0xafb2f870, frame=0x9c9b33e0, snac=0xbfca2ea0, bs=0x9c9b33e4) at
family_icbm.c:2724
No locals.
#1 0xb723489f in flap_connection_recv (conn=0x9c9b33a0) at
flap_connection.c:771
flap_version = <value optimized out>
buf = <value optimized out>
buflen = <value optimized out>
read = <value optimized out>
#2 0xb7d6929d in recv_cb (data=0xb363a5b8, source=943,
cond=PURPLE_INPUT_READ) at sslconn.c:155
No locals.
#3 0x080f6fb1 in io_invoke (source=0x9c932628, condition=G_IO_IN,
data=0x9c9b7460) at /home/hanzz/spectrum/src/geventloop.cpp:51
closure = (PurpleIOClosure *) 0x9c9b7460
purple_cond = PURPLE_INPUT_READ
tmp = 1
#4 0xb7c903af in g_io_unix_dispatch (source=0x9c932680,
callback=0x80f6f46 <io_invoke>, user_data=0x9c9b7460) at giounix.c:162
buffer_condition = 0
#5 0xb7c5be02 in IA__g_main_context_dispatch (context=0x81d08a8) at
gmain.c:1814
No locals.
#6 0xb7c5f04b in g_main_context_iterate (context=0x81d08a8, block=1,
dispatch=1, self=0x81ce5c0) at gmain.c:2448
got_ownership = <value optimized out>
max_priority = 2147483647
timeout = 46
some_ready = 1
nfds = <value optimized out>
allocated_nfds = <value optimized out>
fds = (GPollFD *) 0x9b9443c0
__PRETTY_FUNCTION__ = "g_main_context_iterate"
#7 0xb7c5f397 in IA__g_main_loop_run (loop=0x81d0928) at gmain.c:2656
got_ownership = -1216365696
self = (GThread *) 0x81ce5c0
__PRETTY_FUNCTION__ = "IA__g_main_loop_run"
#8 0x0810d229 in GlooxMessageHandler (this=0x81ce2f8,
config=@0xbfca31c0) at /home/hanzz/spectrum/src/main.cpp:1016
No locals.
#9 0x0810d6a8 in main (argc=2, argv=0xbfca3264) at
/home/hanzz/spectrum/src/main.cpp:1996
sa = {__sigaction_handler = {sa_handler = 0x8108980
<spectrum_sighup_handler>, sa_sigaction = 0x8108980
<spectrum_sighup_handler>}, sa_mask = {__val = {
0 <repeats 32 times>}}, sa_flags = 0, sa_restorer = 0}
config = {static npos = 4294967295, _M_dataplus =
{<std::allocator<char>> = {<__gnu_cxx::new_allocator<char>> = {<No data
fields>}, <No data fields>},
_M_p = 0x81ce2e4 "highflyer.cfg"}}
error = (GError *) 0x0
context = (GOptionContext *) 0x81cd308
(gdb) p *bs
$13 = {data = 0xb3833b20 "", len = 1412, offset = 1412}
(gdb) p *bs.data at 1412
$14 =
"\000\004\000\v\000\000\231s)(2862777\000\000\002\t198794995\000\003\033\000\b",
'\0' <repeats 19 times>, "\003\000\000\000\004��\016\000��", '\0'
<repeats 12 times>,
"\032\000\000\000\000\000\001\000\000O\000;`���*lE��\234Z^g�e\b\000*\000\000\000Script
Plug-in: Remote Notification Arrive\000\000\001", '\0' <repeats 12
times>, "�\004\000\000�\004\000\000<NR><RES><ret
event='OnRemoteNotification'><srv><id>cAwaySrv</id><val
srv_id='cAwaySrv'><Root><CASXtraSetAwayMessage></CASXtraSetAwayMessage><uin>198794995</uin><index>17</index><title>Mindfulness
fosters happiness. Our intentional, effortful
activities*\002\023\t\005\204\000\004\000\v\000\000Q�\000\v2862777\000\000\002\t361595606\000\003\033\000\b",
'\0' <repeats 19 times>, "\003\000\000\000\004��\016\000��", '\0'
<repeats 12 times>,
"\032\000\000\000\000\000\001\000\000O\000;`���*lE��\234Z^g�e\b\000*\000\000\000Script
Plug-in: Remote Notification Arrive\000\000\001", '\0' <repeats 12
times>, "�\004\000\000�\004\000\000<NR><RES><ret
event='OnRemoteNotification'><srv><id>cAwaySrv</id><val
srv_id='cAwaySrv'><Root><CASXtraSetAwayMessage></CASXtraSetAwayMessage><uin>198794995</uin><index>17</index><title>Mindfulness
fosters happiness. Our intentional, effortful activities have a powerful
effect on how happy we are, over and above the effects of our set points
and the circumstances in which we find
ourselves.</title><desc>People high in mindfulness - that
is, those who are prone to be mindfully attentive to the here and now
and keenly aware of their surroundings - are models of flourishing and
positive mental health.\r\n---\r\nWe have control of a big"
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 897 bytes
Desc: OpenPGP digital signature
URL: <http://pidgin.im/cgi-bin/mailman/private/security/attachments/20100714/ec17df62/attachment.pgp>
More information about the security
mailing list