Possible null-pointer dereference in libpurple /protocols/yahoo/libymsg.c

Marius Wachtler undingen at gmail.com
Tue Feb 22 22:46:24 EST 2011


I think I have found a remote triggerable null-pointer dereference in libpurple.
Maybe this is a false alert because I found the suspected code only by
inspection and have not written any real app which tries to crash

The suspicious code is in libpurple/protocols/yahoo/libymsg.c and can
be found at least in version 2.7.10 and trunk.

Imagine the client receives a packet with:

pkt->service = YAHOO_SERVICE_SMS_MSG;
one key value pair with key = 16

Look at the "yahoo_process_sms_message()" function which will get
called because "pkt->service" has value "YAHOO_SERVICE_SMS_MSG".

	struct _yahoo_im *sms = NULL;
	char *server_msg = NULL;
// sms has value NULL

	while (l != NULL) {
		struct yahoo_pair *pair = l->data;

		if (pair->key == 16)
			server_msg = pair->value;
// server_msg is now != 0

		l = l->next;

	if( (pkt->status == -1) || (pkt->status == YAHOO_STATUS_DISCONNECTED) ) {
// pkt->status is chosen so that the branch will execute

		if (server_msg) {
// server_msg != 0 because of the keyval pair

			PurpleConversation *c;
			c = purple_find_conversation_with_account(PURPLE_CONV_TYPE_IM,
sms->from, account);
// sms == NULL!   --> crash

Hope this helps and I have not overlooked something and wasted your time.

-- Marius Wachtler

More information about the security mailing list