Mercurial > pidgin
annotate libgaim/protocols/qq/recv_core.c @ 14498:26bca01c7076
[gaim-migrate @ 17217]
Fix CID 273 (NULL deref)
committer: Tailor Script <tailor@pidgin.im>
author | Daniel Atallah <daniel.atallah@gmail.com> |
---|---|
date | Sun, 10 Sep 2006 15:13:59 +0000 |
parents | 902c3aa4950a |
children | 6b8bc59414f0 |
rev | line source |
---|---|
14192 | 1 /** |
2 * The QQ2003C protocol plugin | |
3 * | |
4 * for gaim | |
5 * | |
6 * Copyright (C) 2004 Puzzlebird | |
7 * | |
8 * This program is free software; you can redistribute it and/or modify | |
9 * it under the terms of the GNU General Public License as published by | |
10 * the Free Software Foundation; either version 2 of the License, or | |
11 * (at your option) any later version. | |
12 * | |
13 * This program is distributed in the hope that it will be useful, | |
14 * but WITHOUT ANY WARRANTY; without even the implied warranty of | |
15 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the | |
16 * GNU General Public License for more details. | |
17 * | |
18 * You should have received a copy of the GNU General Public License | |
19 * along with this program; if not, write to the Free Software | |
20 * Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA | |
21 */ | |
22 | |
23 #include "debug.h" | |
24 #include "internal.h" | |
25 | |
26 #include "buddy_info.h" | |
27 #include "buddy_list.h" | |
28 #include "buddy_opt.h" | |
29 #include "buddy_status.h" | |
30 #include "char_conv.h" | |
31 #include "crypt.h" | |
32 #include "group_network.h" | |
33 #include "header_info.h" | |
34 #include "keep_alive.h" | |
35 #include "im.h" | |
36 #include "login_logout.h" | |
37 #include "packet_parse.h" | |
38 #include "qq_proxy.h" | |
39 #include "recv_core.h" | |
40 #include "sendqueue.h" | |
41 #include "sys_msg.h" | |
42 #include "utils.h" | |
43 | |
44 typedef struct _packet_before_login packet_before_login; | |
45 typedef struct _qq_recv_msg_header qq_recv_msg_header; | |
46 | |
47 struct _packet_before_login { | |
48 guint8 *buf; | |
49 gint len; | |
50 }; | |
51 | |
52 struct _qq_recv_msg_header { | |
53 guint8 header_tag; | |
54 guint16 source_tag; | |
55 guint16 cmd; | |
56 guint16 seq; /* can be ack_seq or send_seq, depends on cmd */ | |
57 }; | |
58 | |
59 /* check whether one sequence number is duplicated or not | |
60 * return TRUE if it is duplicated, otherwise FALSE */ | |
61 static gboolean _qq_check_packet_set_window(guint16 seq, GaimConnection *gc) | |
62 { | |
63 qq_data *qd; | |
64 guint8 *byte, mask; | |
65 | |
66 g_return_val_if_fail(gc != NULL && gc->proto_data != NULL, FALSE); | |
67 qd = (qq_data *) gc->proto_data; | |
68 byte = &(qd->window[seq / 8]); | |
69 mask = (1 << (seq % 8)); | |
70 | |
71 if ((*byte) & mask) | |
72 return TRUE; /* check mask */ | |
73 (*byte) |= mask; | |
74 return FALSE; /* set mask */ | |
75 } /* _qq_check_packet_set_window */ | |
76 | |
77 /* default process, decrypt and dump */ | |
78 static void _qq_process_packet_default(guint8 *buf, gint buf_len, guint16 cmd, guint16 seq, GaimConnection *gc) | |
79 { | |
80 qq_data *qd; | |
81 guint8 *data; | |
82 gchar *msg_utf8; | |
83 gint len; | |
84 | |
85 g_return_if_fail(gc != NULL && gc->proto_data != NULL); | |
86 g_return_if_fail(buf != NULL && buf_len != 0); | |
87 | |
88 qd = (qq_data *) gc->proto_data; | |
89 len = buf_len; | |
90 data = g_newa(guint8, len); | |
91 msg_utf8 = NULL; | |
92 | |
93 _qq_show_packet("Processing unknown packet", buf, len); | |
94 if (qq_crypt(DECRYPT, buf, buf_len, qd->session_key, data, &len)) { | |
95 gaim_debug(GAIM_DEBUG_WARNING, "QQ", | |
96 ">>> [%d] %s, %d bytes -> [default] decrypt and dump\n%s", | |
97 seq, qq_get_cmd_desc(cmd), buf_len, hex_dump_to_str(data, len)); | |
98 try_dump_as_gbk(data, len); | |
99 } else { | |
100 gaim_debug(GAIM_DEBUG_ERROR, "QQ", "Fail decrypt packet with default process\n"); | |
101 } | |
102 } | |
103 | |
104 /* process the incoming packet from qq_pending */ | |
105 static void _qq_packet_process(guint8 *buf, gint buf_len, GaimConnection *gc) | |
106 { | |
107 qq_data *qd; | |
108 gint len, bytes_expected, bytes_read; | |
109 guint16 buf_len_read; /* two bytes in the begining of TCP packet */ | |
110 guint8 *cursor; | |
111 qq_recv_msg_header header; | |
112 packet_before_login *b4_packet; | |
113 | |
114 g_return_if_fail(gc != NULL && gc->proto_data != NULL); | |
115 g_return_if_fail(buf != NULL && buf_len > 0); | |
116 | |
117 qd = (qq_data *) gc->proto_data; | |
118 bytes_expected = qd->use_tcp ? QQ_TCP_HEADER_LENGTH : QQ_UDP_HEADER_LENGTH; | |
119 | |
120 if (buf_len < bytes_expected) { | |
121 gaim_debug(GAIM_DEBUG_ERROR, | |
122 "QQ", "Received packet is too short, dump and drop\n%s", hex_dump_to_str(buf, buf_len)); | |
123 return; | |
124 } | |
125 /* initialize */ | |
126 cursor = buf; | |
127 bytes_read = 0; | |
128 | |
129 /* QQ TCP packet returns first 2 bytes the length of this packet */ | |
130 if (qd->use_tcp) { | |
131 bytes_read += read_packet_w(buf, &cursor, buf_len, &buf_len_read); | |
132 if (buf_len_read != buf_len) { /* wrong */ | |
133 gaim_debug | |
134 (GAIM_DEBUG_ERROR, | |
135 "QQ", | |
136 "TCP read %d bytes, header says %d bytes, use header anyway\n", buf_len, buf_len_read); | |
137 buf_len = buf_len_read; /* we believe header is more accurate */ | |
138 } | |
139 } | |
140 | |
141 /* now goes the normal QQ packet as UDP packet */ | |
142 bytes_read += read_packet_b(buf, &cursor, buf_len, &header.header_tag); | |
143 bytes_read += read_packet_w(buf, &cursor, buf_len, &header.source_tag); | |
144 bytes_read += read_packet_w(buf, &cursor, buf_len, &header.cmd); | |
145 bytes_read += read_packet_w(buf, &cursor, buf_len, &header.seq); | |
146 | |
147 if (bytes_read != bytes_expected) { /* read error */ | |
148 gaim_debug(GAIM_DEBUG_ERROR, "QQ", | |
149 "Fail reading packet header, expect %d bytes, read %d bytes\n", | |
150 bytes_expected, bytes_read); | |
151 return; | |
152 } | |
153 | |
154 if ((buf[buf_len - 1] != QQ_PACKET_TAIL) || (header.header_tag != QQ_PACKET_TAG)) { | |
155 gaim_debug(GAIM_DEBUG_ERROR, | |
156 "QQ", "Unknown QQ proctocol, dump and drop\n%s", hex_dump_to_str(buf, buf_len)); | |
157 return; | |
158 } | |
159 | |
160 if (QQ_DEBUG) | |
161 gaim_debug(GAIM_DEBUG_INFO, "QQ", | |
162 "==> [%05d] %s, from (%s)\n", | |
163 header.seq, qq_get_cmd_desc(header.cmd), qq_get_source_str(header.source_tag)); | |
164 | |
165 if (header.cmd != QQ_CMD_LOGIN && header.cmd != QQ_CMD_REQUEST_LOGIN_TOKEN) { | |
166 if (!qd->logged_in) { /* packets before login */ | |
167 b4_packet = g_new0(packet_before_login, 1); | |
168 /* must duplicate, buffer will be freed after exiting this function */ | |
169 b4_packet->buf = g_memdup(buf, buf_len); | |
170 b4_packet->len = buf_len; | |
171 if (qd->before_login_packets == NULL) | |
172 qd->before_login_packets = g_queue_new(); | |
173 g_queue_push_head(qd->before_login_packets, b4_packet); | |
174 return; /* do not process it now */ | |
175 } else if (!g_queue_is_empty(qd->before_login_packets)) { | |
176 /* logged_in, but we have packets before login */ | |
177 b4_packet = (packet_before_login *) | |
178 g_queue_pop_head(qd->before_login_packets); | |
179 _qq_packet_process(b4_packet->buf, b4_packet->len, gc); | |
180 /* in fact this is a recursive call, | |
181 * all packets before login will be processed before goes on */ | |
182 g_free(b4_packet->buf); /* the buf is duplicated, need to be freed */ | |
183 g_free(b4_packet); | |
184 } | |
185 } | |
186 | |
187 /* this is the length of all the encrypted data (also remove tail tag */ | |
188 len = buf_len - (bytes_read) - 1; | |
189 | |
190 /* whether it is an ack */ | |
191 switch (header.cmd) { | |
192 case QQ_CMD_RECV_IM: | |
193 case QQ_CMD_RECV_MSG_SYS: | |
194 case QQ_CMD_RECV_MSG_FRIEND_CHANGE_STATUS: | |
195 /* server intiated packet, we need to send ack and check duplicaion | |
196 * this must be put after processing b4_packet | |
197 * as these packets will be passed in twice */ | |
198 if (_qq_check_packet_set_window(header.seq, gc)) { | |
199 gaim_debug(GAIM_DEBUG_WARNING, | |
200 "QQ", "dup [%05d] %s, discard...\n", header.seq, qq_get_cmd_desc(header.cmd)); | |
201 return; | |
202 } | |
203 break; | |
204 default:{ /* ack packet, we need to update sendqueue */ | |
205 /* we do not check duplication for server ack */ | |
206 qq_sendqueue_remove(qd, header.seq); | |
207 if (QQ_DEBUG) | |
208 gaim_debug(GAIM_DEBUG_INFO, "QQ", | |
209 "ack [%05d] %s, remove from sendqueue\n", | |
210 header.seq, qq_get_cmd_desc(header.cmd)); | |
211 } | |
212 } | |
213 | |
214 /* now process the packet */ | |
215 switch (header.cmd) { | |
216 case QQ_CMD_KEEP_ALIVE: | |
217 qq_process_keep_alive_reply(cursor, len, gc); | |
218 break; | |
219 case QQ_CMD_UPDATE_INFO: | |
220 qq_process_modify_info_reply(cursor, len, gc); | |
221 break; | |
222 case QQ_CMD_ADD_FRIEND_WO_AUTH: | |
223 qq_process_add_buddy_reply(cursor, len, header.seq, gc); | |
224 break; | |
225 case QQ_CMD_DEL_FRIEND: | |
226 qq_process_remove_buddy_reply(cursor, len, gc); | |
227 break; | |
228 case QQ_CMD_REMOVE_SELF: | |
229 qq_process_remove_self_reply(cursor, len, gc); | |
230 break; | |
231 case QQ_CMD_BUDDY_AUTH: | |
232 qq_process_add_buddy_auth_reply(cursor, len, gc); | |
233 break; | |
234 case QQ_CMD_GET_USER_INFO: | |
235 qq_process_get_info_reply(cursor, len, gc); | |
236 break; | |
237 case QQ_CMD_CHANGE_ONLINE_STATUS: | |
238 qq_process_change_status_reply(cursor, len, gc); | |
239 break; | |
240 case QQ_CMD_SEND_IM: | |
241 qq_process_send_im_reply(cursor, len, gc); | |
242 break; | |
243 case QQ_CMD_RECV_IM: | |
244 qq_process_recv_im(cursor, len, header.seq, gc); | |
245 break; | |
246 case QQ_CMD_LOGIN: | |
247 qq_process_login_reply(cursor, len, gc); | |
248 break; | |
249 case QQ_CMD_GET_FRIENDS_LIST: | |
250 qq_process_get_buddies_list_reply(cursor, len, gc); | |
251 break; | |
252 case QQ_CMD_GET_FRIENDS_ONLINE: | |
253 qq_process_get_buddies_online_reply(cursor, len, gc); | |
254 break; | |
255 case QQ_CMD_GROUP_CMD: | |
256 qq_process_group_cmd_reply(cursor, len, header.seq, gc); | |
257 break; | |
258 case QQ_CMD_GET_ALL_LIST_WITH_GROUP: | |
259 qq_process_get_all_list_with_group_reply(cursor, len, gc); | |
260 break; | |
261 case QQ_CMD_REQUEST_LOGIN_TOKEN: | |
262 qq_process_request_login_token_reply(cursor, len, gc); | |
263 break; | |
264 case QQ_CMD_RECV_MSG_SYS: | |
265 qq_process_msg_sys(cursor, len, header.seq, gc); | |
266 break; | |
267 case QQ_CMD_RECV_MSG_FRIEND_CHANGE_STATUS: | |
268 qq_process_friend_change_status(cursor, len, gc); | |
269 break; | |
270 default: | |
271 _qq_process_packet_default(cursor, len, header.cmd, header.seq, gc); | |
272 break; | |
273 } | |
274 } | |
275 | |
276 /* clean up the packets before login */ | |
277 void qq_b4_packets_free(qq_data *qd) | |
278 { | |
279 packet_before_login *b4_packet; | |
280 g_return_if_fail(qd != NULL); | |
281 /* now clean up my own data structures */ | |
282 if (qd->before_login_packets != NULL) { | |
283 while (NULL != (b4_packet = g_queue_pop_tail(qd->before_login_packets))) { | |
284 g_free(b4_packet->buf); | |
285 g_free(b4_packet); | |
286 } | |
287 g_queue_free(qd->before_login_packets); | |
288 } | |
289 } | |
290 | |
291 void qq_input_pending(gpointer data, gint source, GaimInputCondition cond) | |
292 { | |
293 GaimConnection *gc; | |
294 qq_data *qd; | |
295 guint8 *buf; | |
296 gint len; | |
297 | |
298 gc = (GaimConnection *) data; | |
14498
26bca01c7076
[gaim-migrate @ 17217]
Daniel Atallah <daniel.atallah@gmail.com>
parents:
14195
diff
changeset
|
299 |
26bca01c7076
[gaim-migrate @ 17217]
Daniel Atallah <daniel.atallah@gmail.com>
parents:
14195
diff
changeset
|
300 g_return_if_fail(gc != NULL && gc->proto_data != NULL); |
26bca01c7076
[gaim-migrate @ 17217]
Daniel Atallah <daniel.atallah@gmail.com>
parents:
14195
diff
changeset
|
301 |
26bca01c7076
[gaim-migrate @ 17217]
Daniel Atallah <daniel.atallah@gmail.com>
parents:
14195
diff
changeset
|
302 if(cond != GAIM_INPUT_READ) { |
14195 | 303 gaim_connection_error(gc, _("Socket error")); |
304 return; | |
305 } | |
14192 | 306 |
307 qd = (qq_data *) gc->proto_data; | |
308 buf = g_newa(guint8, MAX_PACKET_SIZE); | |
309 | |
310 /* here we have UDP proxy suppport */ | |
311 len = qq_proxy_read(qd, buf, MAX_PACKET_SIZE); | |
312 if (len <= 0) { | |
313 gaim_connection_error(gc, _("Unable to read from socket")); | |
314 return; | |
315 } else { | |
316 _qq_packet_process(buf, len, gc); | |
317 } | |
318 } |