Mercurial > pidgin
comparison libpurple/protocols/oscar/family_feedbag.c @ 32376:82024b6ea465
Fix remotely-triggerable crashes by validating strings in a few
messages related to buddy list management. Fixes #14682
I changed the four functions that parse incoming authorization-related
SNACs. The changes are:
- Make sure we have a buddy name and it is valid UTF-8. If not, we
drop the SNAC and log a debug message (we can't do much with an empty,
invalid or incorrect buddy name). This wasn't a part of the bug
report and I doubt it's actually a problem, but it seems like a good
idea regardless.
- If the incoming message is not valid UTF-8 then use
purple_utf8_salvage() to replace invalid bytes with question marks. I
believe this fixes the bug in question.
author | Mark Doliner <mark@kingant.net> |
---|---|
date | Tue, 06 Dec 2011 06:40:23 +0000 |
parents | 17f7badf147e |
children | 3ed4800c5e17 |
comparison
equal
deleted
inserted
replaced
32371:58d4a721f0c0 | 32376:82024b6ea465 |
---|---|
1648 static int receiveauthgrant(OscarData *od, FlapConnection *conn, aim_module_t *mod, FlapFrame *frame, aim_modsnac_t *snac, ByteStream *bs) | 1648 static int receiveauthgrant(OscarData *od, FlapConnection *conn, aim_module_t *mod, FlapFrame *frame, aim_modsnac_t *snac, ByteStream *bs) |
1649 { | 1649 { |
1650 int ret = 0; | 1650 int ret = 0; |
1651 aim_rxcallback_t userfunc; | 1651 aim_rxcallback_t userfunc; |
1652 guint16 tmp; | 1652 guint16 tmp; |
1653 char *bn, *msg; | 1653 char *bn, *msg, *tmpstr; |
1654 | 1654 |
1655 /* Read buddy name */ | 1655 /* Read buddy name */ |
1656 if ((tmp = byte_stream_get8(bs))) | 1656 tmp = byte_stream_get8(bs); |
1657 bn = byte_stream_getstr(bs, tmp); | 1657 if (!tmp) { |
1658 else | 1658 purple_debug_warning("oscar", "Dropping auth grant SNAC " |
1659 bn = NULL; | 1659 "because username was empty\n"); |
1660 | 1660 return 0; |
1661 /* Read message (null terminated) */ | 1661 } |
1662 if ((tmp = byte_stream_get16(bs))) | 1662 bn = byte_stream_getstr(bs, tmp); |
1663 if (!g_utf8_validate(bn, -1, NULL)) { | |
1664 purple_debug_warning("oscar", "Dropping auth grant SNAC " | |
1665 "because the username was not valid UTF-8\n"); | |
1666 g_free(bn); | |
1667 } | |
1668 | |
1669 /* Read message */ | |
1670 tmp = byte_stream_get16(bs); | |
1671 if (tmp) { | |
1663 msg = byte_stream_getstr(bs, tmp); | 1672 msg = byte_stream_getstr(bs, tmp); |
1664 else | 1673 if (!g_utf8_validate(msg, -1, NULL)) { |
1674 /* Ugh, msg isn't UTF8. Let's salvage. */ | |
1675 purple_debug_warning("oscar", "Got non-UTF8 message in auth " | |
1676 "grant from %s\n", bn); | |
1677 tmpstr = purple_utf8_salvage(msg); | |
1678 g_free(msg); | |
1679 msg = tmpstr; | |
1680 } | |
1681 } else | |
1665 msg = NULL; | 1682 msg = NULL; |
1666 | 1683 |
1667 /* Unknown */ | 1684 /* Unknown */ |
1668 tmp = byte_stream_get16(bs); | 1685 tmp = byte_stream_get16(bs); |
1669 | 1686 |
1722 static int receiveauthrequest(OscarData *od, FlapConnection *conn, aim_module_t *mod, FlapFrame *frame, aim_modsnac_t *snac, ByteStream *bs) | 1739 static int receiveauthrequest(OscarData *od, FlapConnection *conn, aim_module_t *mod, FlapFrame *frame, aim_modsnac_t *snac, ByteStream *bs) |
1723 { | 1740 { |
1724 int ret = 0; | 1741 int ret = 0; |
1725 aim_rxcallback_t userfunc; | 1742 aim_rxcallback_t userfunc; |
1726 guint16 tmp; | 1743 guint16 tmp; |
1727 char *bn, *msg; | 1744 char *bn, *msg, *tmpstr; |
1728 | 1745 |
1729 /* Read buddy name */ | 1746 /* Read buddy name */ |
1730 if ((tmp = byte_stream_get8(bs))) | 1747 tmp = byte_stream_get8(bs); |
1731 bn = byte_stream_getstr(bs, tmp); | 1748 if (!tmp) { |
1732 else | 1749 purple_debug_warning("oscar", "Dropping auth request SNAC " |
1733 bn = NULL; | 1750 "because username was empty\n"); |
1734 | 1751 return 0; |
1735 /* Read message (null terminated) */ | 1752 } |
1736 if ((tmp = byte_stream_get16(bs))) | 1753 bn = byte_stream_getstr(bs, tmp); |
1754 if (!g_utf8_validate(bn, -1, NULL)) { | |
1755 purple_debug_warning("oscar", "Dropping auth request SNAC " | |
1756 "because the username was not valid UTF-8\n"); | |
1757 g_free(bn); | |
1758 } | |
1759 | |
1760 /* Read message */ | |
1761 tmp = byte_stream_get16(bs); | |
1762 if (tmp) { | |
1737 msg = byte_stream_getstr(bs, tmp); | 1763 msg = byte_stream_getstr(bs, tmp); |
1738 else | 1764 if (!g_utf8_validate(msg, -1, NULL)) { |
1765 /* Ugh, msg isn't UTF8. Let's salvage. */ | |
1766 purple_debug_warning("oscar", "Got non-UTF8 message in auth " | |
1767 "request from %s\n", bn); | |
1768 tmpstr = purple_utf8_salvage(msg); | |
1769 g_free(msg); | |
1770 msg = tmpstr; | |
1771 } | |
1772 } else | |
1739 msg = NULL; | 1773 msg = NULL; |
1740 | 1774 |
1741 /* Unknown */ | 1775 /* Unknown */ |
1742 tmp = byte_stream_get16(bs); | 1776 tmp = byte_stream_get16(bs); |
1743 | 1777 |
1806 { | 1840 { |
1807 int ret = 0; | 1841 int ret = 0; |
1808 aim_rxcallback_t userfunc; | 1842 aim_rxcallback_t userfunc; |
1809 guint16 tmp; | 1843 guint16 tmp; |
1810 guint8 reply; | 1844 guint8 reply; |
1811 char *bn, *msg; | 1845 char *bn, *msg, *tmpstr; |
1812 | 1846 |
1813 /* Read buddy name */ | 1847 /* Read buddy name */ |
1814 if ((tmp = byte_stream_get8(bs))) | 1848 tmp = byte_stream_get8(bs); |
1815 bn = byte_stream_getstr(bs, tmp); | 1849 if (!tmp) { |
1816 else | 1850 purple_debug_warning("oscar", "Dropping auth reply SNAC " |
1817 bn = NULL; | 1851 "because username was empty\n"); |
1852 return 0; | |
1853 } | |
1854 bn = byte_stream_getstr(bs, tmp); | |
1855 if (!g_utf8_validate(bn, -1, NULL)) { | |
1856 purple_debug_warning("oscar", "Dropping auth reply SNAC " | |
1857 "because the username was not valid UTF-8\n"); | |
1858 g_free(bn); | |
1859 } | |
1818 | 1860 |
1819 /* Read reply */ | 1861 /* Read reply */ |
1820 reply = byte_stream_get8(bs); | 1862 reply = byte_stream_get8(bs); |
1821 | 1863 |
1822 /* Read message (null terminated) */ | 1864 /* Read message */ |
1823 if ((tmp = byte_stream_get16(bs))) | 1865 tmp = byte_stream_get16(bs); |
1866 if (tmp) { | |
1824 msg = byte_stream_getstr(bs, tmp); | 1867 msg = byte_stream_getstr(bs, tmp); |
1825 else | 1868 if (!g_utf8_validate(msg, -1, NULL)) { |
1869 /* Ugh, msg isn't UTF8. Let's salvage. */ | |
1870 purple_debug_warning("oscar", "Got non-UTF8 message in auth " | |
1871 "reply from %s\n", bn); | |
1872 tmpstr = purple_utf8_salvage(msg); | |
1873 g_free(msg); | |
1874 msg = tmpstr; | |
1875 } | |
1876 } else | |
1826 msg = NULL; | 1877 msg = NULL; |
1827 | 1878 |
1828 /* Unknown */ | 1879 /* Unknown */ |
1829 tmp = byte_stream_get16(bs); | 1880 tmp = byte_stream_get16(bs); |
1830 | 1881 |
1846 aim_rxcallback_t userfunc; | 1897 aim_rxcallback_t userfunc; |
1847 guint16 tmp; | 1898 guint16 tmp; |
1848 char *bn; | 1899 char *bn; |
1849 | 1900 |
1850 /* Read buddy name */ | 1901 /* Read buddy name */ |
1851 if ((tmp = byte_stream_get8(bs))) | 1902 tmp = byte_stream_get8(bs); |
1852 bn = byte_stream_getstr(bs, tmp); | 1903 if (!tmp) { |
1853 else | 1904 purple_debug_warning("oscar", "Dropping 'you were added' SNAC " |
1854 bn = NULL; | 1905 "because username was empty\n"); |
1906 return 0; | |
1907 } | |
1908 bn = byte_stream_getstr(bs, tmp); | |
1909 if (!g_utf8_validate(bn, -1, NULL)) { | |
1910 purple_debug_warning("oscar", "Dropping 'you were added' SNAC " | |
1911 "because the username was not valid UTF-8\n"); | |
1912 g_free(bn); | |
1913 } | |
1855 | 1914 |
1856 if ((userfunc = aim_callhandler(od, snac->family, snac->subtype))) | 1915 if ((userfunc = aim_callhandler(od, snac->family, snac->subtype))) |
1857 ret = userfunc(od, conn, frame, bn); | 1916 ret = userfunc(od, conn, frame, bn); |
1858 | 1917 |
1859 g_free(bn); | 1918 g_free(bn); |