Possible null pointer dereference in msn httpconn.c
John Bailey
rekkanoryo at rekkanoryo.org
Mon May 9 23:58:11 EDT 2011
On 05/09/2011 02:15 AM, Mark Doliner wrote:
> The below patch is simple enough to fix the crash in question.
Then we're ready for a release once all translations have been committed and the
mxit branch has been propagated to im.pidgin.pidgin again.
> There's kind of a bigger question as to what the best behavior is in
> this situation. If SessionID token is missing because the user is being
> man-in-the-middle attacked then we probably want to throw away the
> entire packet because it could have been tampered with. But then if
> someone is tampering with your MSN session they could just as easily
> include a usable SessionID. So you don't gain much from throwing away
> the packet.
>
> We could assume the packet is legitimate and just not something we know
> how to parse, and we could try to continue with our session. If this is
> something we care about then msn_httpconn_parse_data() probably
> shouldn't call msn_httpconn_process_queue() until we actually have a
> session id. But the HTTP method isn't even the default connection
> method, so I don't know how much we care about this.
If we know that the real server won't send us packets without a session id in
this scenario, then I'd say it's obvious that we should do something drastic
like throw away the packet or throw up a connection error. Otherwise, I'd say
do whatever non-crashy sane behavior we can manage.
John
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 836 bytes
Desc: OpenPGP digital signature
URL: <http://pidgin.im/cgi-bin/mailman/private/security/attachments/20110509/33c07061/attachment.pgp>
More information about the security
mailing list