Denial of Service Vulnerabilities

Paul Aurich paul at
Wed Feb 27 00:23:38 EST 2013

On 02/26/2013 12:18 PM, Thijs Alkemade wrote:
> This seems to point out a much larger issue: iq replies are only looked up by
> their id.

Yep.  Good catch!

> According to darkrain, the only situation where the "from" on a reply would
> not match the "to" on a get legitimately would be situations where sending an
> iq to your own JID (for example, retrieving rosters).

I had a concern (vague recollection of some server which conflated a
user's bare JID with the server JID for one purpose or another, which I
thought was rosters, but now I'm thinking was pings), but the current
'from' enforcement in the roster code does make sure that the
from is either NULL or the user's bare JID.

So, basically: ignore that conversation.

> I think the code should be changed such that:

(in the IQ-parsing code, so callers need not care)

> 1) Registering the iq-callback stores the "to" the iq is sent too.
> 2) The stored JID can be replaced with another JID, for the edge cases
> mentioned above (rosters).

Shouldn't actually be necessary.

> 3) When receiving an iq, not only check if the id occurs in the callbacks
> table, but also check if it matches the expected JID.

Yep, this sounds good to me.

> I'm willing to work on a patch for this, but that will probably not be this
> week.
> Thijs


More information about the security mailing list