(Possible) Null pointer deref in oscar protocol may cause pidgin to crash
Elliott Sales de Andrade
qulogic at pidgin.im
Sun Apr 15 21:50:53 EDT 2012
Hi Huzaifa,
Thanks for reporting this issue.
On Mon, Mar 26, 2012 at 1:42 AM, Huzaifa Sidhpurwala <huzaifas at redhat.com>wrote:
> Hi Folks,
>
> I was looking through pidgin (2.10-2) code and i found i possible null
> pointer deref, not sure if it can be reached via malicious input, but
> it does seem likely to me,
>
> In oscar/family_locate.c:1347
>
> 1347 aim_locate_setcaps(OscarData *od, guint64 caps)
> 1348 {
> 1349 FlapConnection *conn;
> 1350 PurpleAccount *account = purple_connection_get_account(**
> od->gc);
> ...
> ...
> 1358 if (!od || !(conn = flap_connection_findbygroup(**od,
> SNAC_FAMILY_LOCATE)))
> 1359 return -EINVAL;
>
>
> Here on line 1350 od is referenced and then later at 1358 od is checked
> if its null,
>
>
This check does seem to be incorrect.
> Looking at the callers of aim_locate_setcaps, there seems to be a
> possibility that "od" can be actually NULL, if this is the case,
> it will cause pidgin to crash.
>
As far as I can tell, the only two callers of `aim_locate_setcaps` are
`purple_parse_locaterights` and `oscar_set_status`. Now,
`purple_parse_locaterights` already uses `od` without regard for it being
NULL and `oscar_set_status` also does so, albeit after calling this
function.
Anyway, that means either the check is spurious or there are more callers
that need to check `od` (but I would hope that's the less likely outcome).
Unfortunately, I'm not an expert in the oscar code, but hopefully Mark will
be able to reply about it.
thanks!
> <http://pidgin.im/cgi-bin/mailman/listinfo/security>
>
--
Elliott aka QuLogic
Pidgin developer
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://pidgin.im/cgi-bin/mailman/private/security/attachments/20120415/ebb0bf6c/attachment.html>
More information about the security
mailing list