view libpurple/protocols/mxit/chunk.c @ 29466:69077f3993f6

Fix CVE-2010-0277, a possible remote crash when parsing an incoming SLP message. Discovered by Fabian Yamaguchi.
author Mark Doliner <mark@kingant.net>
date Tue, 16 Feb 2010 08:54:07 +0000
parents 259bbfb423d4
children a8cc50c2279f 754459ff7b23
line wrap: on
line source

/*
 *					MXit Protocol libPurple Plugin
 *
 *			-- handle chunked data (multimedia messages) --
 *
 *				Pieter Loubser	<libpurple@mxit.com>
 *
 *			(C) Copyright 2009	MXit Lifestyle (Pty) Ltd.
 *				<http://www.mxitlifestyle.com>
 *
 * This program is free software; you can redistribute it and/or modify
 * it under the terms of the GNU General Public License as published by
 * the Free Software Foundation; either version 2 of the License, or
 * (at your option) any later version.
 *
 * This program is distributed in the hope that it will be useful,
 * but WITHOUT ANY WARRANTY; without even the implied warranty of
 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
 * GNU General Public License for more details.
 *
 * You should have received a copy of the GNU General Public License
 * along with this program; if not, write to the Free Software
 * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA  02111-1301  USA
 */

#include    "internal.h"
#include	"purple.h"
#include	"protocol.h"
#include	"mxit.h"
#include	"chunk.h"
#include	"filexfer.h"


/*========================================================================================================================
 * Data-Type encoding
 */

#if	0
#include	<byteswap.h>
#if (__BYTE_ORDER == __BIG_ENDIAN)
#define SWAP_64(x)  (x)
#else
#define SWAP_64(x)  bswap_64(x)
#endif
#endif

/*------------------------------------------------------------------------
 * Encode a single byte in the chunked data.
 *
 *  @param chunkdata		The chunked-data buffer
 *  @param value			The byte
 *  @return					The number of bytes added.
 */
static int add_int8( char* chunkdata, char value )
{
	*chunkdata = value;

	return sizeof( char );
}

/*------------------------------------------------------------------------
 * Encode a 16-bit value in the chunked data.
 *
 *  @param chunkdata		The chunked-data buffer
 *  @param value			The 16-bit value
 *  @return					The number of bytes added.
 */
static int add_int16( char* chunkdata, short value )
{
	value = htons( value );		/* network byte-order */
	memcpy( chunkdata, &value, sizeof( short ) );

	return sizeof( short );
}

/*------------------------------------------------------------------------
 * Encode a 32-bit value in the chunked data.
 *
 *  @param chunkdata		The chunked-data buffer
 *  @param value			The 32-bit value
 *  @return					The number of bytes added.
 */
static int add_int32( char* chunkdata, int value )
{
	value = htonl( value );		/* network byte-order */
	memcpy( chunkdata, &value, sizeof( int ) );

	return sizeof( int );
}

#if	0
/*------------------------------------------------------------------------
 * Encode a 64-bit value in the chunked data.
 *
 *  @param chunkdata		The chunked-data buffer
 *  @param value			The 64-bit value
 *  @return					The number of bytes added.
 */
static int add_int64( char* chunkdata, int64_t value )
{
	value = SWAP_64( value );	/* network byte-order */
	memcpy( chunkdata, &value, sizeof( int64_t ) );

	return sizeof( int64_t );
}
#endif

/*------------------------------------------------------------------------
 * Encode a block of data in the chunked data.
 *
 *  @param chunkdata		The chunked-data buffer
 *  @param data				The data to add
 *  @param datalen			The length of the data to add
 *  @return					The number of bytes added.
 */
static int add_data( char* chunkdata, const char* data, int datalen )
{
	memcpy( chunkdata, data, datalen );

	return datalen;
}

/*------------------------------------------------------------------------
 * Encode a string as UTF-8 in the chunked data.
 *
 *  @param chunkdata		The chunked-data buffer
 *  @param str				The string to encode
 *  @return					The number of bytes in the string
 */
static int add_utf8_string( char* chunkdata, const char* str )
{
	int		pos		= 0;
	size_t	len		= strlen( str );

	/* utf8 string length [2 bytes] */
	pos += add_int16( &chunkdata[pos], len );

	/* utf8 string */
	pos += add_data( &chunkdata[pos], str, len );

	return pos;
}


/*========================================================================================================================
 * Data-Type decoding
 */

/*------------------------------------------------------------------------
 * Extract a single byte from the chunked data.
 *
 *  @param chunkdata		The chunked-data buffer
 *  @param value			The byte
 *  @return					The number of bytes extracted.
 */
static int get_int8( const char* chunkdata, char* value )
{
	*value = *chunkdata;

	return sizeof( char );
}

/*------------------------------------------------------------------------
 * Extract a 16-bit value from the chunked data.
 *
 *  @param chunkdata		The chunked-data buffer
 *  @param value			The 16-bit value
 *  @return					The number of bytes extracted
 */
static int get_int16( const char* chunkdata, short* value )
{
	*value = ntohs( *( (const short*) chunkdata ) );	/* host byte-order */

	return sizeof( short );
}

/*------------------------------------------------------------------------
 * Extract a 32-bit value from the chunked data.
 *
 *  @param chunkdata		The chunked-data buffer
 *  @param value			The 32-bit value
 *  @return					The number of bytes extracted
 */
static int get_int32( const char* chunkdata, int* value )
{
	*value = ntohl( *( (const int*) chunkdata ) );	/* host byte-order */

	return sizeof( int );
}

#if	0
/*------------------------------------------------------------------------
 * Extract a 64-bit value from the chunked data.
 *
 *  @param chunkdata		The chunked-data buffer
 *  @param value			The 64-bit value
 *  @return					The number of bytes extracted
 */
static int get_int64( const char* chunkdata, int64_t* value )
{
	*value = SWAP_64( *( (const int64_t*) chunkdata ) );	/* host byte-order */

	return sizeof( int64_t );
}
#endif

/*------------------------------------------------------------------------
 * Copy a block of data from the chunked data.
 *
 *  @param chunkdata		The chunked-data buffer
 *  @param dest				Where to store the extract data
 *  @param datalen			The length of the data to extract
 *  @return					The number of bytes extracted
 */
static int get_data( const char* chunkdata, char* dest, int datalen )
{
	memcpy( dest, chunkdata, datalen );

	return datalen;
}

/*------------------------------------------------------------------------
 * Extract a UTF-8 encoded string from the chunked data.
 *
 *  @param chunkdata		The chunked-data buffer
 *  @param str				A pointer to extracted string.  Must be g_free()'d.
 *  @return					The number of bytes consumed
 */
static int get_utf8_string( const char* chunkdata, char* str, int maxstrlen )
{
	int		pos = 0;
	short	len;
	int		skip = 0;

	/* string length [2 bytes] */
	pos += get_int16( &chunkdata[pos], &len );

	if ( len > maxstrlen ) {
		/* possible buffer overflow */
		purple_debug_error( MXIT_PLUGIN_ID, "Buffer overflow detected (get_utf8_string)\n" );
		skip = len - maxstrlen;
		len = maxstrlen;
	}

	/* string data */
	pos += get_data( &chunkdata[pos], str, len );
	str[len] = '\0';		/* terminate string */

	return pos + skip;
}


/*========================================================================================================================
 * Chunked Data encoding
 */

/*------------------------------------------------------------------------
 * Encode a "reject file" chunk.  (Chunk type 7)
 *
 *  @param chunkdata		Chunked-data buffer
 *  @param fileid			A unique ID that identifies this file
 *  @return					The number of bytes encoded in the buffer
 */
int mxit_chunk_create_reject( char* chunkdata, const char* fileid )
{
	int		pos		= 0;

	/* file id [8 bytes] */
	pos += add_data( &chunkdata[pos], fileid, MXIT_CHUNK_FILEID_LEN );

	/* rejection reason [1 byte] */
	pos += add_int8( &chunkdata[pos], REJECT_BY_USER );

	/* rejection description [UTF-8 (optional)] */
	pos += add_utf8_string( &chunkdata[pos], "" );

	return pos;
}


/*------------------------------------------------------------------------
 * Encode a "get file" request chunk.  (Chunk type 8)
 *
 *  @param chunkdata		Chunked-data buffer
 *  @param fileid			A unique ID that identifies this file
 *  @param filesize			The number of bytes to retrieve
 *  @param offset			The start offset in the file
 *  @return					The number of bytes encoded in the buffer
 */
int mxit_chunk_create_get( char* chunkdata, const char* fileid, int filesize, int offset )
{
	int		pos		= 0;

	/* file id [8 bytes] */
	pos += add_data( &chunkdata[pos], fileid, MXIT_CHUNK_FILEID_LEN );

	/* offset [4 bytes] */
	pos += add_int32( &chunkdata[pos], offset );

	/* length [4 bytes] */
	pos += add_int32( &chunkdata[pos], filesize );

	return pos;
}


/*------------------------------------------------------------------------
 * Encode a "received file" chunk.  (Chunk type 9)
 *
 *  @param chunkdata		Chunked-data buffer
 *  @param fileid			A unique ID that identifies this file
 *  @param status			The status of the file transfer (see chunk.h)
 *  @return					The number of bytes encoded in the buffer
 */
int mxit_chunk_create_received( char* chunkdata, const char* fileid, unsigned char status )
{
	int		pos		= 0;

	/* file id [8 bytes] */
	pos += add_data( &chunkdata[pos], fileid, MXIT_CHUNK_FILEID_LEN );

	/* status [1 byte] */
	pos += add_int8( &chunkdata[pos], status );

	return pos;
}


/*------------------------------------------------------------------------
 * Encode a "send file direct" chunk.  (Chunk type 10)
 *
 *  @param chunkdata		Chunked-data buffer
 *  @param username			The username of the recipient
 *  @param filename			The name of the file being sent
 *  @param data				The file contents
 *  @param datalen			The size of the file contents
 *  @return					The number of bytes encoded in the buffer
 */
int mxit_chunk_create_senddirect( char* chunkdata, const char* username, const char* filename, const unsigned char* data, int datalen )
{
	int			pos		= 0;
	const char*	mime	= NULL;

	/* data length [4 bytes] */
	pos += add_int32( &chunkdata[pos], datalen );

	/* number of username(s) [2 bytes] */
	pos += add_int16( &chunkdata[pos], 1 );

	/* username(s) [UTF-8] */
	pos += add_utf8_string( &chunkdata[pos], username );

	/* filename [UTF-8] */
	pos += add_utf8_string( &chunkdata[pos], filename );

	/* file mime type [UTF-8] */
	mime = file_mime_type( filename, (const char*) data, datalen );
	pos += add_utf8_string( &chunkdata[pos], mime );

	/* human readable description [UTF-8 (optional)] */
	pos += add_utf8_string( &chunkdata[pos], "" );

	/* crc [4 bytes] (0 = optional) */
	pos += add_int32( &chunkdata[pos], 0 );

	/* the actual file data */
	pos += add_data( &chunkdata[pos], (const char *) data, datalen );

	return pos;
}


/*------------------------------------------------------------------------
 * Encode a "set avatar" chunk.  (Chunk type 13)
 *
 *  @param chunkdata		Chunked-data buffer
 *  @param data				The avatar data
 *  @param datalen			The size of the avatar data
 *  @return					The number of bytes encoded in the buffer
 */
int mxit_chunk_create_set_avatar( char* chunkdata, const unsigned char* data, int datalen )
{
	const char	fileid[MXIT_CHUNK_FILEID_LEN];
	int			pos = 0;

	/* id [8 bytes] */
	memset( &fileid, 0, sizeof( fileid ) );		/* set to 0 for file upload */
	pos += add_data( &chunkdata[pos], fileid, MXIT_CHUNK_FILEID_LEN );

	/* size [4 bytes] */
	pos += add_int32( &chunkdata[pos], datalen );

	/* crc [4 bytes] (0 = optional) */
	pos += add_int32( &chunkdata[pos], 0 );

	/* the actual file data */
	pos += add_data( &chunkdata[pos], (const char *) data, datalen );

	return pos;
}


/*------------------------------------------------------------------------
 * Encode a "get avatar" chunk.  (Chunk type 14)
 *
 *  @param chunkdata		Chunked-data buffer
 *  @param mxitId			The username who's avatar to download
 *  @param avatarId			The Id of the avatar image (as string)
 *  @param imgsize			The resolution of the avatar image
 *  @return					The number of bytes encoded in the buffer
 */
int mxit_chunk_create_get_avatar( char* chunkdata, const char* mxitId, const char* avatarId, unsigned int imgsize )
{
	int			pos = 0;

	/* number of avatars [4 bytes] */
	pos += add_int32( &chunkdata[pos], 1 );

	/* username [UTF-8] */
	pos += add_utf8_string( &chunkdata[pos], mxitId );

	/* avatar id [UTF-8] */
	pos += add_utf8_string( &chunkdata[pos], avatarId );

	/* avatar format [UTF-8] */
	pos += add_utf8_string( &chunkdata[pos], MXIT_AVATAR_TYPE );

	/* avatar bit depth [1 byte] */
	pos += add_int8( &chunkdata[pos], MXIT_AVATAR_BITDEPT );

	/* number of sizes [2 bytes] */
	pos += add_int16( &chunkdata[pos], 1 );

	/* image size [4 bytes] */
	pos += add_int32( &chunkdata[pos], imgsize );

	return pos;
}


/*========================================================================================================================
 * Chunked Data decoding
 */

/*------------------------------------------------------------------------
 * Parse a received "offer file" chunk.  (Chunk 6)
 *
 *  @param chunkdata		Chunked data buffer
 *  @param datalen			The length of the chunked data
 *  @param offer			Decoded offerfile information
 */
void mxit_chunk_parse_offer( char* chunkdata, int datalen, struct offerfile_chunk* offer )
{
	int			pos			= 0;

	purple_debug_info( MXIT_PLUGIN_ID, "mxit_chunk_parse_offer (%i bytes)\n", datalen );

	/* id [8 bytes] */
	pos += get_data( &chunkdata[pos], offer->fileid, 8);

	/* from username [UTF-8] */
	pos += get_utf8_string( &chunkdata[pos], offer->username, sizeof( offer->username ) );
	mxit_strip_domain( offer->username );

	/* file size [4 bytes] */
	pos += get_int32( &chunkdata[pos], &(offer->filesize) );

	/* filename [UTF-8] */
	pos += get_utf8_string( &chunkdata[pos], offer->filename, sizeof( offer->filename) );

	/* mime type [UTF-8] */
	/* not used by libPurple */

	/* timestamp [8 bytes] */
	/* not used by libPurple */

	/* file description [UTF-8] */
	/* not used by libPurple */

	/* file alternative [UTF-8] */
	/* not used by libPurple */

	/* flags [4 bytes] */
	/* not used by libPurple */
}


/*------------------------------------------------------------------------
 * Parse a received "get file" response chunk.  (Chunk 8)
 *
 *  @param chunkdata		Chunked data buffer
 *  @param datalen			The length of the chunked data
 *  @param offer			Decoded getfile information
 */
void mxit_chunk_parse_get( char* chunkdata, int datalen, struct getfile_chunk* getfile )
{
	int			pos			= 0;

	purple_debug_info( MXIT_PLUGIN_ID, "mxit_chunk_parse_file (%i bytes)\n", datalen );

	/* id [8 bytes] */
	pos += get_data( &chunkdata[pos], getfile->fileid, 8 );

	/* offset [4 bytes] */
	pos += get_int32( &chunkdata[pos], &(getfile->offset) );

	/* file length [4 bytes] */
	pos += get_int32( &chunkdata[pos], &(getfile->length) );

	/* crc [4 bytes] */
	pos += get_int32( &chunkdata[pos], &(getfile->crc) );

	/* file data */
	getfile->data = &chunkdata[pos];
}


/*------------------------------------------------------------------------
 * Parse a received splash screen chunk.  (Chunk 2)
 *
 *  @param chunkdata		Chunked data buffer
 *  @param datalen			The length of the chunked data
 *  @param splash			Decoded splash image information
 */
static void mxit_chunk_parse_splash( char* chunkdata, int datalen, struct splash_chunk* splash )
{
	int			pos			= 0;

	purple_debug_info( MXIT_PLUGIN_ID, "mxit_chunk_parse_splash (%i bytes)\n", datalen );

	/* anchor [1 byte] */
	pos += get_int8( &chunkdata[pos], &(splash->anchor) );

	/* time to show [1 byte] */
	pos += get_int8( &chunkdata[pos], &(splash->showtime) );

	/* background color [4 bytes] */
	pos += get_int32( &chunkdata[pos], &(splash->bgcolor) );

	/* file data */
	splash->data = &chunkdata[pos];

	/* data length */
	splash->datalen = datalen - pos;
}


/*------------------------------------------------------------------------
 * Parse a received "custom resource" chunk.  (Chunk 1)
 *
 *  @param chunkdata		Chunked data buffer
 *  @param datalen			The length of the chunked data
 *  @param offer			Decoded custom resource
 */
void mxit_chunk_parse_cr( char* chunkdata, int datalen, struct cr_chunk* cr )
{
	int			pos			= 0;
	int			chunklen	= 0;

	purple_debug_info( MXIT_PLUGIN_ID, "mxit_chunk_parse_cr (%i bytes)\n", datalen );

	/* id [UTF-8] */
	pos += get_utf8_string( &chunkdata[pos], cr->id, sizeof( cr->id ) );

	/* handle [UTF-8] */
	pos += get_utf8_string( &chunkdata[pos], cr->handle, sizeof( cr->handle ) );

	/* operation [1 byte] */
	pos += get_int8( &chunkdata[pos], &(cr->operation) );

	/* chunk size [4 bytes] */
	pos += get_int32( &chunkdata[pos], &chunklen );

	/* parse the resource chunks */
	while ( chunklen > 0 ) {
		gchar* chunk = &chunkdata[pos];

		/* start of chunk data */
		pos += MXIT_CHUNK_HEADER_SIZE;

		switch ( chunk_type( chunk ) ) {
			case CP_CHUNK_SPLASH :			/* splash image */
				{
					struct splash_chunk* splash = g_new0( struct splash_chunk, 1 );

					mxit_chunk_parse_splash( &chunkdata[pos], chunk_length( chunk ), splash );

					cr->resources = g_list_append( cr->resources, splash );
					break;
				}
			case CP_CHUNK_CLICK :			/* splash click */
				{
					struct splash_click_chunk* click = g_new0( struct splash_click_chunk, 1 );
					
					cr->resources = g_list_append( cr->resources, click );
					break;
				}
			default:
				purple_debug_info( MXIT_PLUGIN_ID, "Unsupported custom resource chunk received (%i)\n", chunk_type( chunk) );
		}

		/* skip over data to next resource chunk */
		pos += chunk_length( chunk );
		chunklen -= ( MXIT_CHUNK_HEADER_SIZE + chunk_length( chunk ) );
	}
}


/*------------------------------------------------------------------------
 * Parse a received "get avatar" response chunk.  (Chunk 14)
 *
 *  @param chunkdata		Chunked data buffer
 *  @param datalen			The length of the chunked data
 *  @param avatar			Decoded avatar information
 */
void mxit_chunk_parse_get_avatar( char* chunkdata, int datalen, struct getavatar_chunk* avatar )
{
	int			pos			= 0;
	int			numfiles	= 0;

	purple_debug_info( MXIT_PLUGIN_ID, "mxit_chunk_parse_get_avatar (%i bytes)\n", datalen );

	/* number of files [4 bytes] */
	pos += get_int32( &chunkdata[pos], &numfiles );

	if ( numfiles < 1 )		/* no data */
		return;

	/* mxitId [UTF-8 string] */
	pos += get_utf8_string( &chunkdata[pos], avatar->mxitid, sizeof( avatar->mxitid ) );

	/* avatar id [UTF-8 string] */
	pos += get_utf8_string( &chunkdata[pos], avatar->avatarid, sizeof( avatar->avatarid ) );

	/* format [UTF-8 string] */
	pos += get_utf8_string( &chunkdata[pos], avatar->format, sizeof( avatar->format ) );

	/* bit depth [1 byte] */
	pos += get_int8( &chunkdata[pos], &(avatar->bitdepth) );

	/* crc [4 bytes] */
	pos += get_int32( &chunkdata[pos], &(avatar->crc) );

	/* width [4 bytes] */
	pos += get_int32( &chunkdata[pos], &(avatar->width) );

	/* height [4 bytes] */
	pos += get_int32( &chunkdata[pos], &(avatar->height) );

	/* file length [4 bytes] */
	pos += get_int32( &chunkdata[pos], &(avatar->length) );

	/* file data */
	avatar->data = &chunkdata[pos];
}