Mercurial > pidgin.yaz
diff libpurple/protocols/msn/slp.c @ 29466:69077f3993f6
Fix CVE-2010-0277, a possible remote crash when parsing an incoming
SLP message. Discovered by Fabian Yamaguchi.
| author | Mark Doliner <mark@kingant.net> |
|---|---|
| date | Tue, 16 Feb 2010 08:54:07 +0000 |
| parents | 3a43e48c870e |
| children | 1a9977557dc9 c5a7516418c7 |
line wrap: on
line diff
--- a/libpurple/protocols/msn/slp.c Tue Feb 16 08:50:49 2010 +0000 +++ b/libpurple/protocols/msn/slp.c Tue Feb 16 08:54:07 2010 +0000 @@ -741,11 +741,10 @@ if (!strncmp(body, "INVITE", strlen("INVITE"))) { char *branch; + char *call_id; char *content; char *content_type; - slpcall = msn_slpcall_new(slplink); - /* From: <msnmsgr:buddy@hotmail.com> */ #if 0 slpcall->remote_user = get_token(body, "From: <msnmsgr:", ">\r\n"); @@ -753,7 +752,7 @@ branch = get_token(body, ";branch={", "}"); - slpcall->id = get_token(body, "Call-ID: {", "}"); + call_id = get_token(body, "Call-ID: {", "}"); #if 0 long content_len = -1; @@ -767,13 +766,15 @@ content = get_token(body, "\r\n\r\n", NULL); - if (branch && content_type && content) + if (branch && call_id && content_type && content) { + slpcall = msn_slpcall_new(slplink); + slpcall->id = call_id; got_invite(slpcall, branch, content_type, content); } else { - msn_slpcall_destroy(slpcall); + g_free(call_id); slpcall = NULL; }