Possible null-pointer dereference in libpurple /protocols/yahoo/libymsg.c
Marius Wachtler
undingen at gmail.com
Thu Feb 24 20:50:26 EST 2011
Hello and thanks for your response.
I also think that this issue should't be real problem so I'm fine with
fixing it in the next release.
As with your patch I think this won't fix the issue because few lines
after the if "sms" will still be dereferenced (so if pkt->status has
different value..).
So I think early exiting would be the best.
--- libymsg.c_old 2011-02-25 09:37:06.719072000 -0800
+++ libymsg.c 2011-02-25 09:39:49.179072003 -0800
@@ -922,6 +922,9 @@
l = l->next;
}
+ if (!sms)
+ return; /* received malformed packet */
+
if( (pkt->status == -1) || (pkt->status == YAHOO_STATUS_DISCONNECTED) ) {
if (server_msg) {
PurpleConversation *c;
But in the mean time I have looked at other possible similar bugs and
found one in:
libymsg.c: yahoo_process_notify()
This time the problematic variable is called "stat" and this function
get also called from the code which handles the p2p packets.
I have no knowledge of the yahoo messenger protocol, but if this is
really data which comes from another peer this can be a real problem.
Thanks for your repsonse.
-- Marius Wachtler
More information about the security
mailing list