[Pidgin] #15055: Don't allow writing to SSL socket until handshake is finished

Pidgin trac at pidgin.im
Tue Apr 10 13:26:45 EDT 2012 

#15055: Don't allow writing to SSL socket until handshake is finished
----------------------------------+-----------------------------------------
 Reporter:  MarkDoliner           |     Owner:        
     Type:  patch                 |    Status:  new   
Component:  libpurple             |   Version:  2.10.3
 Keywords:  ssl tls crash socket  |  
----------------------------------+-----------------------------------------
 Florian said:
 "I've just spent a few hours debugging the current most common Instantbird
 crasher. The stacks we received showed crashes in the SSL handshake. It
 turns out the real cause is some prpls corrupting the NSS socket by
 writing data to it before the end of the handshake when they are
 disconnected (either because of a user action or a connection error)
 before being fully connected. Here is a patch that prevents the crashes:
 http://pastebin.instantbird.com/26588"

 Then I said:
 "It seems like maybe those should be g_return_val_if_fail().  Like, it
 seems like an error in the code if something tries to write to a socket
 that isn't ready yet.  Also, it seems like we should try to change the
 prpl(s) to not try to write to a socket that isn't ready?"

 Then Florian said:
 "The oscar code attempts to check if the socket is initialized or not:
 http://lxr.instantbird.org/instantbird/source/purple/libpurple/protocols/oscar/flap_connection.c#367
 conn->gsc->connect_data will be non-null if the proxy code is still busy
 trying to open the socket, but unfortunately there doesn't seem to be an
 easy way for the code to check in the SSL handshake is done.

 I can also add that this crash with stacks in the SSL handshake started to
 get frequent after we ifdef'ed out the libpurple initialization of NSS to
 use instead the NSS initialized by the Mozilla platform; that comes with
 the Mozilla certificate store. That's possibly just a coincidence that the
 crash wasn't noticeable before, as the invalid writes to the sockets
 already existed, obviously."

-- 
Ticket URL: <http://developer.pidgin.im/ticket/15055>
Pidgin <http://pidgin.im>
Pidgin

More information about the Tracker mailing list