[Pidgin] #4332: Crash in out_cmd when "OUT" command's params are NULL.

Pidgin trac at pidgin.im
Sun Dec 9 22:13:26 EST 2007 

#4332: Crash in out_cmd when "OUT" command's params are NULL.
-------------------+--------------------------------------------------------
Reporter:  tedp    |       Owner:  khc
    Type:  defect  |      Status:  new
Priority:  minor   |   Component:  MSN
 Version:  2.3.1   |    Keywords:     
 Pending:  0       |  
-------------------+--------------------------------------------------------
 out_cmd() in msnp9 is called with cmd->params == NULL. That pointer is
 dereferenced for the call to g_ascii_strcasecmp causing a segfault. See
 the backtrace.

 This is pidgin 2.3.1-1 (Debian package).

 {{{
 Program received signal SIGSEGV, Segmentation fault.
 [Switching to Thread 0xb7b916c0 (LWP 6400)]

 (gdb) bt full
 #0  0xb768abc7 in out_cmd (cmdproc=0x853bf90, cmd=0x8736cb8) at
 ../../../../libpurple/protocols/msnp9/notification.c:339
 No locals.
 #1  0xb767f018 in msn_cmdproc_process_cmd (cmdproc=0x853bf90,
 cmd=0x8736cb8) at ../../../../libpurple/protocols/msnp9/cmdproc.c:313
         error_cb = <value optimized out>
         cb = (MsnTransCb) 0
         trans = (MsnTransaction *) 0x0
 #2  0xb767f184 in msn_cmdproc_process_cmd_text (cmdproc=0x853bf90,
 command=0x8721b90 "OUT") at
 ../../../../libpurple/protocols/msnp9/cmdproc.c:335
 No locals.
 #3  0xb768e25f in read_cb (data=0x853bf38, source=15,
 cond=PURPLE_INPUT_READ) at
 ../../../../libpurple/protocols/msnp9/servconn.c:446
         buf = "OUT\r\n\000AL 1
 messenger at microsoft.com\r\n\000\020ƿ\024\000\000\000�\\\021\b8��Np\020ƿ��\032\b�\016ƿ0��N\024\000\000\000\000\000\000\000\020]\021\b8��N8��N�}\217N�\020ƿo��Np\020ƿ\024\023ƿp\020ƿ\000\000\000\000\\\020ƿ\000\000\000\000(\017ƿ\000\000\000\000\000\000�?���NັN\001",
 '\0' <repeats 15 times>, "\f", '\0' <repeats 11 times>,
 "T\020ƿ\000\000�?p\"s\b\000\000\000\000\220�\032\b\000\000\000\001\000\000\000\000\000\000�?��"...
         end = 0x8721b95 ""
         old_rx_buf = 0x8721b90 "OUT"
         len = <value optimized out>
         cur_len = <value optimized out>
 #4  0x080a3fa3 in pidgin_io_invoke (source=0x85824f0, condition=<value
 optimized out>, data=0x8543798) at ../../pidgin/gtkeventloop.c:78
         purple_cond = PURPLE_INPUT_READ
 <snip>Frames with no symbol table info, all in
 /usr/lib/libglib-2.0.so.0</snip>
 #13 0x4eaab1c6 in g_main_context_dispatch () from
 /usr/lib/libglib-2.0.so.0
 No symbol table info available.
 Backtrace stopped: frame did not save the PC

 (gdb) print *cmd
 $3 = {trId = 0, command = 0x85a2d20 "OUT", params = 0x0, param_count = 0,
 ref_count = 1, trans = 0x0, payload = 0x0, payload_len = 0, payload_cb =
 0}

 (gdb) print *cmdproc
 $4 = {session = 0x853c000, servconn = 0x853bf38, txqueue = 0x853b310,
 last_cmd = 0x8736cb8, cbs_table = 0x81626d0, history = 0x853bf18, data =
 0x8297cf0}

 (gdb) list
 334
 **************************************************************************/
 335
 336     static void
 337     out_cmd(MsnCmdProc *cmdproc, MsnCommand *cmd)
 338     {
 339             if (!g_ascii_strcasecmp(cmd->params[0], "OTH"))
 340                     msn_session_set_error(cmdproc->session,
 MSN_ERROR_SIGN_OTHER,
 341                                                               NULL);
 342             else if (!g_ascii_strcasecmp(cmd->params[0], "SSD"))
 343                     msn_session_set_error(cmdproc->session,
 MSN_ERROR_SERV_DOWN, NULL);
 }}}

-- 
Ticket URL: <http://developer.pidgin.im/ticket/4332>
Pidgin <http://pidgin.im>
Pidgin

More information about the Tracker mailing list