Mercurial > pidgin.yaz
view src/protocols/zephyr/ZIfNotice.c @ 14092:58c9f678b77a
[gaim-migrate @ 16717]
Fix a bug reported by Jon Oberheide. If there is an extra either 1
or 3 bytes on an incoming oscar message then our ICBM parser gets
into an infinite loop. This could open be caused by a malicious
server or a man-in-the-middle.
committer: Tailor Script <tailor@pidgin.im>
| author | Mark Doliner <mark@kingant.net> |
|---|---|
| date | Sat, 12 Aug 2006 10:59:13 +0000 |
| parents | 64895571248f |
| children |
line wrap: on
line source
/* This file is part of the Project Athena Zephyr Notification System. * It contains source for the ZIfNotice function. * * Created by: Robert French * * Copyright (c) 1987,1988 by the Massachusetts Institute of Technology. * For copying and distribution information, see the file * "mit-copyright.h". */ #include "internal.h" Code_t ZIfNotice(notice, from, predicate, args) ZNotice_t *notice; struct sockaddr_in *from; int (*predicate) __P((ZNotice_t *, void *)); void *args; { ZNotice_t tmpnotice; Code_t retval; char *buffer; struct _Z_InputQ *qptr; if ((retval = Z_WaitForComplete()) != ZERR_NONE) return (retval); qptr = Z_GetFirstComplete(); for (;;) { while (qptr) { if ((retval = ZParseNotice(qptr->packet, qptr->packet_len, &tmpnotice)) != ZERR_NONE) return (retval); if ((*predicate)(&tmpnotice, args)) { if (!(buffer = (char *) malloc((unsigned) qptr->packet_len))) return (ENOMEM); (void) memcpy(buffer, qptr->packet, qptr->packet_len); if (from) *from = qptr->from; if ((retval = ZParseNotice(buffer, qptr->packet_len, notice)) != ZERR_NONE) { free(buffer); return (retval); } Z_RemQueue(qptr); return (ZERR_NONE); } qptr = Z_GetNextComplete(qptr); } if ((retval = Z_ReadWait()) != ZERR_NONE) return (retval); qptr = Z_GetFirstComplete(); /* need to look over all of the queued messages, in case a fragment has been reassembled */ } }