pidgin/pidgin

In Novell Groupwise, fix potential remote crash parsing server message
release-2.x.y
2014-04-08, Mark Doliner
44fd89158777
Parents 6436e14bdb9d
Children a324d01ba1c5
In Novell Groupwise, fix potential remote crash parsing server message
that indicates that a large amount of memory should be allocated. I
added arbitrary max size checks that are hopefully larger than any real
expected value. It was kinda weird that the existing check on checked
MAXINT. We'll want to request a CVE ID for this.

Discovered by Yves Younan and Richard Johnson of Sourcefire VRT
2 files changed, 21 insertions(+), 13 deletions(-)
  • +5 -0
    ChangeLog
  • +16 -13
    libpurple/protocols/novell/nmevent.c
    • --- a/ChangeLog Mon Apr 07 23:45:55 2014 -0700
    +++ b/ChangeLog Tue Apr 08 00:31:25 2014 -0700
    @@ -12,6 +12,11 @@
    Gadu-Gadu:
    * Updated internal libgadu to version 1.12.0-rc2.
    + Groupwise:
    + * Fix potential remote crash parsing server message that indicates that
    + a large amount of memory should be allocated. (Discovered by Yves Younan
    + and Richard Johnson of Sourcefire VRT) (CVE-2014-NNNN)
    +
    MXit:
    * Fix potential remote crash parsing a malformed emoticon response.
    (Discovered by Yves Younan and Richard Johnson of Sourcefire VRT)
    --- a/libpurple/protocols/novell/nmevent.c Mon Apr 07 23:45:55 2014 -0700
    +++ b/libpurple/protocols/novell/nmevent.c Tue Apr 08 00:31:25 2014 -0700
    @@ -149,7 +149,7 @@
    /* Read the conference guid */
    rc = nm_read_uint32(conn, &size);
    - if (size == MAX_UINT32) return NMERR_PROTOCOL;
    + if (size > 1000) return NMERR_PROTOCOL;
    if (rc == NM_OK) {
    guid = g_new0(char, size + 1);
    @@ -164,7 +164,7 @@
    /* Read the message text */
    if (rc == NM_OK) {
    rc = nm_read_uint32(conn, &size);
    - if (size == MAX_UINT32) return NMERR_PROTOCOL;
    + if (size > 100000) return NMERR_PROTOCOL;
    if (rc == NM_OK) {
    msg = g_new0(char, size + 1);
    @@ -270,7 +270,7 @@
    /* Read the conference guid */
    rc = nm_read_uint32(conn, &size);
    - if (size == MAX_UINT32) return NMERR_PROTOCOL;
    + if (size > 1000) return NMERR_PROTOCOL;
    if (rc == NM_OK) {
    guid = g_new0(char, size + 1);
    @@ -280,7 +280,7 @@
    /* Read the the message */
    if (rc == NM_OK) {
    rc = nm_read_uint32(conn, &size);
    - if (size == MAX_UINT32) return NMERR_PROTOCOL;
    + if (size > 100000) return NMERR_PROTOCOL;
    if (rc == NM_OK) {
    msg = g_new0(char, size + 1);
    @@ -349,7 +349,7 @@
    /* Read the conference guid */
    rc = nm_read_uint32(conn, &size);
    - if (size == MAX_UINT32) return NMERR_PROTOCOL;
    + if (size > 1000) return NMERR_PROTOCOL;
    if (rc == NM_OK) {
    guid = g_new0(char, size + 1);
    @@ -401,7 +401,7 @@
    /* Read the conference guid */
    rc = nm_read_uint32(conn, &size);
    - if (size == MAX_UINT32) return NMERR_PROTOCOL;
    + if (size > 1000) return NMERR_PROTOCOL;
    if (rc == NM_OK) {
    guid = g_new0(char, size + 1);
    @@ -440,7 +440,7 @@
    /* Read the conference guid */
    rc = nm_read_uint32(conn, &size);
    - if (size == MAX_UINT32) return NMERR_PROTOCOL;
    + if (size > 1000) return NMERR_PROTOCOL;
    if (rc == NM_OK) {
    guid = g_new0(char, size + 1);
    @@ -490,7 +490,7 @@
    /* Read the conference guid */
    rc = nm_read_uint32(conn, &size);
    - if (size == MAX_UINT32) return NMERR_PROTOCOL;
    + if (size > 1000) return NMERR_PROTOCOL;
    if (rc == NM_OK) {
    guid = g_new0(char, size + 1);
    @@ -530,7 +530,7 @@
    /* Read the conference guid */
    rc = nm_read_uint32(conn, &size);
    - if (size == MAX_UINT32) return NMERR_PROTOCOL;
    + if (size > 1000) return NMERR_PROTOCOL;
    if (rc == NM_OK) {
    guid = g_new0(char, size + 1);
    @@ -589,7 +589,7 @@
    /* Read the conference guid */
    rc = nm_read_uint32(conn, &size);
    - if (size == MAX_UINT32) return NMERR_PROTOCOL;
    + if (size > 1000) return NMERR_PROTOCOL;
    if (rc == NM_OK) {
    guid = g_new0(char, size + 1);
    @@ -632,7 +632,7 @@
    /* Read the status text */
    rc = nm_read_uint32(conn, &size);
    - if (size == MAX_UINT32) return NMERR_PROTOCOL;
    + if (size > 10000) return NMERR_PROTOCOL;
    if (rc == NM_OK) {
    text = g_new0(char, size + 1);
    @@ -670,7 +670,7 @@
    /* Read the conference guid */
    rc = nm_read_uint32(conn, &size);
    - if (size == MAX_UINT32) return NMERR_PROTOCOL;
    + if (size > 1000) return NMERR_PROTOCOL;
    if (rc == NM_OK) {
    guid = g_new0(char, size + 1);
    @@ -833,7 +833,10 @@
    /* Read the event source */
    rc = nm_read_uint32(conn, &size);
    if (rc == NM_OK) {
    - if (size > 0) {
    + if (size > 1000000) {
    + /* Size is larger than our 1MB sanity check. Ignore it. */
    + rc = NMERR_PROTOCOL;
    + } else {
    source = g_new0(char, size);
    rc = nm_read_all(conn, source, size);