Possible bugs

Eric K Wong ekw269 at nyu.edu
Sat Dec 13 23:22:34 EST 2014


I’ve been reviewing the code for Pidgin 2.10.10 as part of an application
security class, and may have found a couple of bugs.  I do not have
exploits or any debugging information—this is strictly from review.

The first possible bug is in libpurple/protocols/gg/lib/events.c.  Here, I
think a crafted packet might be able to cause a program crash (at worst).
The variable ‘host' is defined on line 974 as a 128 character array.
However, when it is used in the sscanf function on line 1251, the format
string specifies 128 characters to write into this array.  I think this
means that if the received string is long enough, since it comes from the
socket, the null termination byte is stored in bit posting 129, causing a
buffer overflow.  The fix is to change the length of ‘host’ or change the
format string to %127s.

The second possible bug is in libpurple/protocols/mxit/http.c and
protocol.c.  Here, I think a crafted packet might be able to cause a
program crash (at worst).  The function mxit_cb_http_read declares the
variable ‘bodylen' as an integer on line 102 and assigns the HTTP content
length via the atoi function on line 185.  Since atoi returns an unsigned
int, a packet that has a small negative (between -254 and -1) or large
positive content length string (4294967042 to 4294967295) will result in a
negative number (between -254 and -1) stored in ‘bodylen’.  This small
negative value in ‘bodylen’ allows the function to execute through to line
238, where it calls mx_parse_packet.  Along the way, on line 206, it
assigns ‘bodylen’ to 'session->rx_i’.  ‘session->rx_i’ is an unsigned int,
so it converts this negative number to a large positive number.  When
execution gets to mxit_parse_packet in protocol.c, it can execute the
nested while-loops until it gets to set the ‘pbreak’ variable to false,
where it reads from ’session->rx_dbuf’.  Getting out of the nested
while-loops may take some time, but along the way memory is being allocated
and may cause a crash (if given the right circumstances).

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://pidgin.im/cgi-bin/mailman/private/security/attachments/20141213/3ff4e7fd/attachment.html>

More information about the security mailing list