# HG changeset patch # User david.jedelsky@gmail.com # Date 1234724518 0 # Node ID a3e3c6331e06eab641e01d5a88edd8a7909b30cd # Parent a946cffda321eba88003df063d05f64d81f684a4 Fix recipt of ICQ messages from the mobile client "Slick." Fixes #7084, #7595. committer: John Bailey diff -r a946cffda321 -r a3e3c6331e06 ChangeLog --- a/ChangeLog Sun Feb 15 07:19:59 2009 +0000 +++ b/ChangeLog Sun Feb 15 19:01:58 2009 +0000 @@ -15,6 +15,7 @@ of buddy icons and available messages. * Properly publish status messages for statuses other than Available. ICQ 6.x users can now see these status messages. (Daniel Ljungborg) + * Fix recipt of messages from the mobile client Slick. (David Jedelsky) MSN: * Fix transfer of buddy icons, custom smileys, and files from the diff -r a946cffda321 -r a3e3c6331e06 libpurple/protocols/oscar/family_icbm.c --- a/libpurple/protocols/oscar/family_icbm.c Sun Feb 15 07:19:59 2009 +0000 +++ b/libpurple/protocols/oscar/family_icbm.c Sun Feb 15 19:01:58 2009 +0000 @@ -1566,9 +1566,10 @@ static int incomingim_ch1(OscarData *od, FlapConnection *conn, aim_module_t *mod, FlapFrame *frame, aim_modsnac_t *snac, guint16 channel, aim_userinfo_t *userinfo, ByteStream *bs, guint8 *cookie) { - guint16 type, length; + guint16 type, length, magic1, msglen; aim_rxcallback_t userfunc; int ret = 0; + int rev = 0; struct aim_incomingim_ch1_args args; unsigned int endpos; @@ -1603,10 +1604,30 @@ * - 0101 -- Unknown * - Message * + * Slick and possible others reverse 'Features' and 'Messages' section. + * Thus, the TLV could have following layout: + * - 0101 -- Unknown (possibly magic for message section) + * - Message + * - 0501 -- Unknown (possibly magic for features section) + * - Features: Don't know how to interpret these */ - byte_stream_get8(bs); /* 05 */ - byte_stream_get8(bs); /* 01 */ + magic1 = byte_stream_get16(bs); /* 0501 or 0101 */ + if (magic1 == 0x101) /* Bad, message comes before attributes */ + { + /* Jump to the features section */ + msglen = byte_stream_get16(bs); + bs->offset += msglen; + rev = 1; + + magic1 = byte_stream_get16(bs); /* 0501 */ + } + + if (magic1 != 0x501) + { + purple_debug_misc("oscar", "Received an IM containing an invalid message part from %s. They are probably trying to do something malicious.\n", userinfo->sn); + break; + } args.featureslen = byte_stream_get16(bs); if (args.featureslen > byte_stream_empty(bs)) @@ -1624,11 +1645,25 @@ args.icbmflags |= AIM_IMFLAGS_CUSTOMFEATURES; } + if (rev) + { + /* Fix buffer back to message */ + bs->offset -= args.featureslen + 2 + 2 + msglen + 2 + 2; + } + + magic1 = byte_stream_get16(bs); /* 01 01 */ + if (magic1 != 0x101) /* Bad, message comes before attributes */ + { + purple_debug_misc("oscar", "Received an IM containing an invalid message part from %s. They are probably trying to do something malicious.\n", userinfo->sn); + break; + } + msglen = byte_stream_get16(bs); + /* * The rest of the TLV contains one or more message * blocks... */ - incomingim_ch1_parsemsgs(od, userinfo, bs->data + bs->offset /* XXX evil!!! */, length - 2 - 2 - args.featureslen, &args); + incomingim_ch1_parsemsgs(od, userinfo, bs->data + bs->offset - 2 - 2 /* XXX evil!!! */, msglen + 2 + 2, &args); } else if (type == 0x0003) { /* Server Ack Requested */