security review and patches for libpurple

Paul Aurich paul at darkrain42.org
Thu Aug 11 23:38:20 EDT 2011


And Ethan Blanton spoke on 08/11/2011 08:19 AM, saying:
> * auth_cyrus.c
> 
>   This is bogus like the first patch; len is strlen(pw).  If we can
>   determine the size of sasl_secret_t.data, we need to use that.  I
>   haven't looked into this yet.

sasl_secret_t.data is malloc()d directly prior in the function, so it can
never be an overflow -- the object is defined the same as the rejected
patch for stringref.c.

From sasl.h:
typedef struct sasl_secret {
    unsigned long len;
    unsigned char data[1];		/* variable sized */
} sasl_secret_t;

From auth_cyrus.c:
static int jabber_sasl_cb_secret(sasl_conn_t *conn, void *ctx, int id,
sasl_secret_t **secret)
{
...
	len = strlen(pw);
	/* Not an off-by-one because sasl_secret_t defines char data[1] */
	/* TODO: This can probably be moved to glib's allocator */
	js->sasl_secret = malloc(sizeof(sasl_secret_t) + len);
	if (!js->sasl_secret)
		return SASL_NOMEM;

	js->sasl_secret->len = len;
	strcpy((char*)js->sasl_secret->data, pw);

	*secret = js->sasl_secret;
	return SASL_OK;
}

(It does seem like there might now be a memory leak in here if Cyrus calls
the secret_cb function multiple times [prior to fixing a race condition we
had, it was a realloc of a static struct], but that's unrelated).

~Paul

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 900 bytes
Desc: OpenPGP digital signature
URL: <http://pidgin.im/cgi-bin/mailman/private/security/attachments/20110811/d9aa790a/attachment.pgp>


More information about the security mailing list