bug in msn plugin

[yiğit boyar]

We have a list of bots running on top of libpurple and recently, some of the
msn bots were failing.
I've digged into the issue and found the following:
In msn_oim_report_to_user  function inside the libpurple/protocols/msn/oim.c
file, line 603, the function does not check if the message body is null or
not.

I don't know how a null msg comes but upon receiving that msg line 656 gets
a segmentation fault:

decode_msg = (char *)purple_base64_decode(message->body, &body_len);


here is the debug log before the crash:


(17:42:50) soap: POST //rsi/rsi.asmx HTTP/1.1

SOAPAction: http://www.hotmail.msn.com/ws/2004/09/oim/rsi/GetMessage

Content-Type:text/xml; charset=utf-8

User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)

Accept: */*

Host: rsi.hotmail.com

Content-Length: 892

Connection: Keep-Alive

Cache-Control: no-cache


<soap:Envelope xmlns:xsi='http://www.w3.org/2001/XMLSchema-instance'
xmlns:soap='http://schemas.xmlsoap.org/soap/envelope/' xmlns:xsd='
http://www.w3.org/2001/XMLSchema'><soap:Header><PassportCookie xmlns='
http://www.hotmail.msn.com/ws/2004/09/oim/rsi'><t>9fdlzAgGeHTactqFjdsB2vFN31LL3AbOuVzegbpg4ZoNQIAQr2Zxwf5sbmujGy5llxlBaM5bgAEIuc2ECrvKJOnkFiA6UiRo2SWJ5bRyi9o1UZMqh8XEhyAo7z6PBKwakfHlTnTsivf53XBn3gJoLWbA$$</t><p>9fDU!wGuSD0udoM7M28lmfRT!EmC0Ql5U6TUhLFI5DLVqz1qpxIdNvRd*4jLHb!Ptq3qF7qIR0!qBXo0mnVc2b6oofyqi7qeI3HvoGAU1YyA5NSCwU39wagAHwC4N*xqxV9B9zZBTP!qSiP8I7DI8d60!895W6md7BlTLcVUIk*yoXrsw4adHiEEUrvukgyQkCpTSw!5KsttTawAecKS*Frnm0Ei9LzwhJ</p></PassportCookie></soap:Header><soap:Body><GetMessage
xmlns='http://www.hotmail.msn.com/ws/2004/09/oim/rsi
'><messageId>3FF790AE-B865-4EBF-B599-452536F1C683</messageId><alsoMarkAsRead>false</alsoMarkAsRead></GetMessage></soap:Body></soap:Envelope>

(17:42:50) msn: S: SB 001: USR 1 OK *example at example.com* *username*

(17:42:50) msn: C: SB 001: CAL 2 *example2 at example2.com*

(17:42:51) msn: S: SB 001: CAL 2 RINGING 1523626997

(17:42:51) soap: read 1425 bytes

(17:42:51) soap: current HTTP/1.1 200 OK

Connection: close

Date: Wed, 15 Sep 2010 00:42:51 GMT

Server: Microsoft-IIS/6.0

P3P:CP="BUS CUR CONo FIN IVDo ONL OUR PHY SAMo TELo"

xxn:10

X-Powered-By: ASP.NET

X-AspNet-Version: 1.1.4322

Cache-Control: private, max-age=0

Content-Type: text/xml; charset=utf-8

Content-Length: 1114


<?xml version="1.0" encoding="utf-8"?><soap:Envelope xmlns:soap="
http://schemas.xmlsoap.org/soap/envelope/" xmlns:xsi="
http://www.w3.org/2001/XMLSchema-instance" xmlns:xsd="
http://www.w3.org/2001/XMLSchema"><soap:Body><GetMessageResponse xmlns="
http://www.hotmail.msn.com/ws/2004/09/oim/rsi"><GetMessageResult>X-Originating-IP:
[88.234.212.152]

X-Originating-Email: []

X-Message-Routing:
eZqPogY4VCfJMli9auZVI8wsf+FU0RYdmyjHW9qle80kOvlj/TCwrNJcuiCpAjVnJcYTE

From: =?utf-8?B?QWltZWU=?=
<a1_naylor1986 at hotmail.com<lt%3Ba1_naylor1986 at hotmail.com>
>

To: <sd98 at speeddate-im.com <lt%3Bsd98 at speeddate-im.com>>

Subject:

X-OIM-originatingSource: 88.234.212.152

X-DS-server: BLU144-DS8

X-OIMProxy: MSNMSGR

Message-ID: <BLU144-DS8936934934 at BLU144-DS8.phx.gbl>

X-OriginalArrivalTime: 31 Aug 2010 22:51:42.9501 (UTC)
FILETIME=[14C70E0C:01CB495F]

Date: 31 Aug 2010 15:51:42 -0700

Content-Type: text/plain; charset=UTF-8

Content-Transfer-Encoding: base64

MIME-Version: 1.0

X-OIM-Message-Type: OfflineMessage

X-OIM-Run-Id: {cff6d859-e421-4925-898b-439cef872303}

X-OIM-Sequence-Num: 22


</GetMessageResult></GetMessageResponse></soap:Body></soap:Envelope>

(17:42:51) soap: ignoring malformed line: P3P:CP="BUS CUR CONo FIN IVDo ONL
OUR PHY SAMo TELo"

(17:42:51) soap: ignoring malformed line: xxn:10

(17:42:51) msn: oim body:{(null)}

dns[457]: Oops, father has gone, wait for me, wait...!

Segmentation fault


yigit
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://pidgin.im/pipermail/support/attachments/20100914/e109e674/attachment.html>