pidgin/android/libpurple

Fix a bug where the MXit server or a man-in-the-middle could
release-2.x.y
2013-02-11, Mark Doliner
879db2a9a59c
Parents a8aef1d340f2
Children c31cf8de31cd
Fix a bug where the MXit server or a man-in-the-middle could
potentially send specially crafted data that could overflow a buffer
and lead to a crash or remote code execution.

This is CVE-2013-0272.

The problem was detected by Coverity static analysis, and Daniel Atallah
brought it to everyone's attention and got us to fix it.
2 files changed, 10 insertions(+), 2 deletions(-)
  • +3 -0
    ChangeLog
  • +7 -2
    libpurple/protocols/mxit/http.c
    • --- a/ChangeLog Mon Feb 11 01:03:34 2013 -0800
    +++ b/ChangeLog Mon Feb 11 01:09:30 2013 -0800
    @@ -39,6 +39,9 @@
    MXit:
    * Fix a bug where a remote MXit user could possibly specify a local
    file path to be written to. (CVE-2013-0271)
    + * Fix a bug where the MXit server or a man-in-the-middle could
    + potentially send specially crafted data that could overflow a buffer
    + and lead to a crash or remote code execution. (CVE-2013-0272)
    * Display farewell messages in a different colour to distinguish
    them from normal messages.
    * Add support for typing notification.
    --- a/libpurple/protocols/mxit/http.c Mon Feb 11 01:03:34 2013 -0800
    +++ b/libpurple/protocols/mxit/http.c Mon Feb 11 01:09:30 2013 -0800
    @@ -116,11 +116,12 @@
    buflen = session->rx_i;
    /* read bytes from the socket */
    - len = read( session->fd, buf + buflen, sizeof( buf ) - buflen );
    + len = read( session->fd, buf + buflen, sizeof( buf ) - ( buflen + 1 ) );
    if ( len <= 0 ) {
    /* connection has been terminated, or error occurred */
    goto done;
    }
    + buf[buflen+len] = '\0';
    //nextpacket:
    @@ -181,7 +182,11 @@
    g_free( tmp );
    tmp = NULL;
    - if ( buflen > ( ( body - buf ) + bodylen ) ) {
    + if ( buflen + bodylen >= CP_MAX_PACKET ) {
    + /* this packet is way to big */
    + goto done;
    + }
    + else if ( buflen > ( ( body - buf ) + bodylen ) ) {
    /* we have a second packet here */
    next = body + bodylen;
    session->rx_res = 0;