Wrong buffer size calcualtion in msn_httpconn_parse_data
Daniel Atallah
daniel.atallah at gmail.com
Wed Jul 20 23:31:46 EDT 2011
On Thu, Jul 14, 2011 at 11:37, Marius Wachtler <undingen at gmail.com> wrote:
> Hello
>
> My compiler found a bug in libpurple/protocols/msn/httpconn.c
> msn_httpconn_parse_data(). (Version 2.9.0)
>
> if ((s = strstr(buf, "\r\n\r\n")) == NULL)
> return FALSE;
>
> s += 4;
>
> if (*s == '\0')
> {
> *ret_buf = g_strdup("");
> *ret_size = 0;
>
> msn_httpconn_process_queue(httpconn);
>
> return TRUE;
> }
>
> buf = s;
> size -= (s - buf);
>
> The last two lines should be swaped, otherwise the buffer size will
> not be reduced.
>
> I don't know if this has real security implications but i thought
> better send it to the security list...
>
> Thank you
> Marius Wachtler
Marius, thanks for your report.
Sorry nobody got back to you sooner.
It does indeed look like that is a bug, and from an initial look, it
appears to make it possible to cause a buffer over-read with a
carefully crafted message.
I believe that the worst possible impact is that a malicious server
could cause a crash (DoS).
I'd appreciate if someone else could take a look at this and validate
that I'm not missing something more major.
Thanks,
-D
More information about the security
mailing list