Possible null-pointer dereference in libpurple /protocols/yahoo/libymsg.c

John Bailey rekkanoryo at rekkanoryo.org
Thu Feb 24 21:24:54 EST 2011

On 02/24/2011 08:50 PM, Marius Wachtler wrote:
> As with your patch I think this won't fix the issue because few lines
> after the if "sms" will still be dereferenced (so if pkt->status has
> different value..).
> So I think early exiting would be the best.

You're right.  I wasn't reading the function closely enough and skipped over the
ending bits.  Here's a second attempt that includes an attempted fix for the
part you described below:

> libymsg.c: yahoo_process_notify()
> This time the problematic variable is called "stat" and this function
> get also called from the code which handles the p2p packets.
> I have no knowledge of the yahoo messenger protocol, but if this is
> really data which comes from another peer this can be a real problem.

That function indeed can process packets coming directly from another client and
not passing through the YMSG server.  There's no chance the server can sanitize
such packets in that case.

I don't think the particular solution I used can cause any problems other than
not showing information to the user when a malformed packet comes in, which is
obviously far preferable to a crash.  Although this would likely be trivially
exploitable, I think it too can be fixed in 2.7.11 on the same timeline.

Again, anyone wanting to give the patch a once-over would be greatly appreciated!


-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 836 bytes
Desc: OpenPGP digital signature
URL: <http://pidgin.im/cgi-bin/mailman/private/security/attachments/20110224/ff23f25a/attachment.pgp>

More information about the security mailing list