Crash in Pidgin and Adium on XMPP MUC Presence

Kevin Stange kevin at steadfast.net
Mon Feb 6 14:07:49 EST 2012


A coworker of mine has caused a remotely triggerable crash (he can crash
everyone in the office) when joining a MUC using empathy.  I'm not
familiar enough with XMPP to know if this might be the XMPP server's
doing instead of the client's.  I haven't been able to find the steps to
recreate a configuration that causes the situation.

I was not able to determine why a rename presence is being sent
initially, but it is the first thing sent to the users in the MUC and
Pidgin and Adium dereference a null pointer when trying to update the
user list within the UI.  Within libpurple, conversation.c seems to
handle this anomaly correctly.

The initial presence message looks like this:

<presence from="chitchat at conference.steadfast.net/brad"
to="kevin at steadfast.net/Workstation" type="unavailable"><x
xmlns="vcard-temp:x:update"><photo/></x><x
xmlns="http://jabber.org/protocol/muc#user"><item
jid="brad at steadfast.net/b74de8f7" affiliation="member"
role="participant" nick="brad at steadfast.net"/><status
code="303"/></x></presence>

I've attached an Adium and Pidgin backtrace each showing effectively the
same issue.  It seems like get_iter_from_chatbuddy could be adjusted to
check if cb is NULL before dereferencing it as cb->ui_data and return FALSE.

Alternatively, the check for if(!old_cbuddy) could be moved up in
pidgin_conv_chat_rename_user() to before attempting to complete the rename.

Someone else should verify which of these fixes would be appropriate.

-- 
Kevin Stange
Chief Technology Officer
Steadfast Networks
http://steadfast.net
Phone: 312-602-2689 ext. 203 | Fax: 312-602-2688 | Cell: 312-320-5867
-------------- next part --------------
An embedded and charset-unspecified text was scrubbed...
Name: pidgin-backtrace
URL: <http://pidgin.im/cgi-bin/mailman/private/security/attachments/20120206/a16df916/attachment-0002.ksh>
-------------- next part --------------
An embedded and charset-unspecified text was scrubbed...
Name: Adium_2012-02-06-093853_schnellaster.crash
URL: <http://pidgin.im/cgi-bin/mailman/private/security/attachments/20120206/a16df916/attachment-0003.ksh>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 262 bytes
Desc: OpenPGP digital signature
URL: <http://pidgin.im/cgi-bin/mailman/private/security/attachments/20120206/a16df916/attachment-0001.pgp>


More information about the security mailing list