Receipt of an invalid XMPP Jingle "session-initiate" iq missing certain fields causes libpurple to dereference a NULL pointer.

Paul Aurich paul at darkrain42.org
Mon Oct 24 22:48:09 EDT 2011 

On Sun, Oct 23, 2011 at 11:49:17PM +0200, Thijs Alkemade wrote:
> Hello all,
> 

<snip/> (missing "media" attr on "description" element)
<snip/> (missing "creator" on "content" element)

> 
> According to the spec
> (http://xmpp.org/extensions/xep-0167.html#schema-content), a
> "<description>" element is required to have a "media" attribute, but
> that is missing here.
> libpurple/protocols/jabber/jingle/rtp.c:jingle_rtp_parse_codecs()
> checks with strcmp if the media attribute is "video" or "audio", but
> that means it will crash if it is NULL. Also, "<content>" is required
> to have a "creator", but excluding that also causes a similar crash
> with strcmp in jingle_rtp_init_media().
> 
> I have encountered this bug with Adium 1.5hg, which currently uses
> libpurple 2.10. I have no reason to assume it doesn't apply to Pidgin
> 2.10, but I have not been able to test this. There are more uses of
> strcmp() in libpurple/protocols/jabber/jingle/rtp.c, but I have not
> verified if those allow similar crashes. As Adium 1.4.3 (the latest
> release) doesn't include VV, it won't be vulnerable to this bug (so
> fixing this quickly is for us not a priority).

Yep, thanks for reporting these.  I audited further strcmp uses, and
believe the following will also crash (some tested, but constructing
one side of a Jingle flow by hand [on the fly] is painful)

   * jingle_handle_content_modify ('senders' is NULL, requires some
     valid Jingle data structs locally)
   * jingle_session_find_content() (called in most of the
     jingle_handle_content_* functions), if 'name' attribute is missing
   * jingle_session_find_pending_content() (via content-accept and
     content-reject)

All the other uses I looked at didn't appear to be crashers.  I would
still like to replace all with purple_strequal (except where relatively
obvious that something is not-NULL or it's more appropriate to
explicitly handle NULLs first, like in jingle_rtp_init_media)

jingle_rtp_init_media also appears to be leaking memory and refs to the
JingleSession under error conditions.  I need to look into that further.

> 
> I hope I've given enough information, let me know if you need to know 
> more.
> 
> Best regards,
> Thijs Alkemade

Sending these two stanzas triggers a content-modify crash:

<iq id='asdf' to='target' type='set'>
  <jingle xmlns='urn:xmpp:jingle:1' action='session-initiate'
initiator='paul at darkrain42.org/Testing' sid='asdf'>
    <content creator='initiator' name='voice'>
      <description xmlns='urn:xmpp:jingle:apps:rtp:1' media='audio'>
      </description>
      <transport xmlns='urn:xmpp:jingle:transports:ice-udp:1'>
      </transport>
    </content>
  </jingle>
</iq>
<iq id='fdsa' to='target' type='set'>
  <jingle xmlns='urn:xmpp:jingle:1' action='content-modify'
initiator='paul at darkrain42.org/Testing' sid='asdf'>
    <content creator='initiator' />
  </jingle>
</iq>

~Paul

More information about the security mailing list