[Pidgin] #3336: DoS via large OSCAR ODC frames
Pidgin
trac at pidgin.im
Thu Sep 27 05:47:01 EDT 2007
#3336: DoS via large OSCAR ODC frames
------------------------+---------------------------------------------------
Reporter: mirya | Owner: MarkDoliner
Type: enhancement | Status: new
Priority: minor | Component: AIM
Version: 2.2.0 | Keywords: AIm OSCAR ODC DoS
Pending: 0 |
------------------------+---------------------------------------------------
libpurple sets no size limits for the OSCAR ODC frames received. As far as
the frame comes directly from another side (not via OSCAR server which
applies some restrictions itself), this may be used for DoS-style attack,
for ex. sending enormous size image will consume much memory resources for
store and CPU for rendering
While direct connection needs to be explicitly accepted by the user, I
suppose there should be a tunable setting to reject ODC frames (maybe by
closing ODC connection) larger than that limit.
--
Ticket URL: <http://developer.pidgin.im/ticket/3336>
Pidgin <http://pidgin.im>
Pidgin
More information about the Tracker
mailing list