Jabber OOB Transfer security issue
daniel.atallah at gmail.com
Sat Nov 23 20:23:03 EST 2013
On Sat, Nov 23, 2013 at 6:45 PM, Matt Jones <matt at volvent.org> wrote:
> Hey Daniel,
> I didn't investigate this one further than what my writeup said. Why
> wouldn't it be an avenue, can you elaborate a tiny bit?
Sure, it's basically what Thijs Alkemade said on September 20th - the only
place where the value parsed via sscanf from Content-Length is used is as
an argument to purple_xfer_set_size(), which would immediately cast it to a
size_t (which is unsigned).
The worst thing that could happen is that a file transfer for a 2^64 − 1
(on 64bit systems) byte file would be started.
-------------- next part --------------
An HTML attachment was scrubbed...
More information about the security