Mercurial > pidgin
comparison libpurple/protocols/oscar/family_feedbag.c @ 32376:82024b6ea465
Fix remotely-triggerable crashes by validating strings in a few
messages related to buddy list management. Fixes #14682
I changed the four functions that parse incoming authorization-related
SNACs. The changes are:
- Make sure we have a buddy name and it is valid UTF-8. If not, we
drop the SNAC and log a debug message (we can't do much with an empty,
invalid or incorrect buddy name). This wasn't a part of the bug
report and I doubt it's actually a problem, but it seems like a good
idea regardless.
- If the incoming message is not valid UTF-8 then use
purple_utf8_salvage() to replace invalid bytes with question marks. I
believe this fixes the bug in question.
| author | Mark Doliner <mark@kingant.net> |
|---|---|
| date | Tue, 06 Dec 2011 06:40:23 +0000 |
| parents | 17f7badf147e |
| children | 3ed4800c5e17 |
comparison
equal
deleted
inserted
replaced
| 32371:58d4a721f0c0 | 32376:82024b6ea465 |
|---|---|
| 1648 static int receiveauthgrant(OscarData *od, FlapConnection *conn, aim_module_t *mod, FlapFrame *frame, aim_modsnac_t *snac, ByteStream *bs) | 1648 static int receiveauthgrant(OscarData *od, FlapConnection *conn, aim_module_t *mod, FlapFrame *frame, aim_modsnac_t *snac, ByteStream *bs) |
| 1649 { | 1649 { |
| 1650 int ret = 0; | 1650 int ret = 0; |
| 1651 aim_rxcallback_t userfunc; | 1651 aim_rxcallback_t userfunc; |
| 1652 guint16 tmp; | 1652 guint16 tmp; |
| 1653 char *bn, *msg; | 1653 char *bn, *msg, *tmpstr; |
| 1654 | 1654 |
| 1655 /* Read buddy name */ | 1655 /* Read buddy name */ |
| 1656 if ((tmp = byte_stream_get8(bs))) | 1656 tmp = byte_stream_get8(bs); |
| 1657 bn = byte_stream_getstr(bs, tmp); | 1657 if (!tmp) { |
| 1658 else | 1658 purple_debug_warning("oscar", "Dropping auth grant SNAC " |
| 1659 bn = NULL; | 1659 "because username was empty\n"); |
| 1660 | 1660 return 0; |
| 1661 /* Read message (null terminated) */ | 1661 } |
| 1662 if ((tmp = byte_stream_get16(bs))) | 1662 bn = byte_stream_getstr(bs, tmp); |
| 1663 if (!g_utf8_validate(bn, -1, NULL)) { | |
| 1664 purple_debug_warning("oscar", "Dropping auth grant SNAC " | |
| 1665 "because the username was not valid UTF-8\n"); | |
| 1666 g_free(bn); | |
| 1667 } | |
| 1668 | |
| 1669 /* Read message */ | |
| 1670 tmp = byte_stream_get16(bs); | |
| 1671 if (tmp) { | |
| 1663 msg = byte_stream_getstr(bs, tmp); | 1672 msg = byte_stream_getstr(bs, tmp); |
| 1664 else | 1673 if (!g_utf8_validate(msg, -1, NULL)) { |
| 1674 /* Ugh, msg isn't UTF8. Let's salvage. */ | |
| 1675 purple_debug_warning("oscar", "Got non-UTF8 message in auth " | |
| 1676 "grant from %s\n", bn); | |
| 1677 tmpstr = purple_utf8_salvage(msg); | |
| 1678 g_free(msg); | |
| 1679 msg = tmpstr; | |
| 1680 } | |
| 1681 } else | |
| 1665 msg = NULL; | 1682 msg = NULL; |
| 1666 | 1683 |
| 1667 /* Unknown */ | 1684 /* Unknown */ |
| 1668 tmp = byte_stream_get16(bs); | 1685 tmp = byte_stream_get16(bs); |
| 1669 | 1686 |
| 1722 static int receiveauthrequest(OscarData *od, FlapConnection *conn, aim_module_t *mod, FlapFrame *frame, aim_modsnac_t *snac, ByteStream *bs) | 1739 static int receiveauthrequest(OscarData *od, FlapConnection *conn, aim_module_t *mod, FlapFrame *frame, aim_modsnac_t *snac, ByteStream *bs) |
| 1723 { | 1740 { |
| 1724 int ret = 0; | 1741 int ret = 0; |
| 1725 aim_rxcallback_t userfunc; | 1742 aim_rxcallback_t userfunc; |
| 1726 guint16 tmp; | 1743 guint16 tmp; |
| 1727 char *bn, *msg; | 1744 char *bn, *msg, *tmpstr; |
| 1728 | 1745 |
| 1729 /* Read buddy name */ | 1746 /* Read buddy name */ |
| 1730 if ((tmp = byte_stream_get8(bs))) | 1747 tmp = byte_stream_get8(bs); |
| 1731 bn = byte_stream_getstr(bs, tmp); | 1748 if (!tmp) { |
| 1732 else | 1749 purple_debug_warning("oscar", "Dropping auth request SNAC " |
| 1733 bn = NULL; | 1750 "because username was empty\n"); |
| 1734 | 1751 return 0; |
| 1735 /* Read message (null terminated) */ | 1752 } |
| 1736 if ((tmp = byte_stream_get16(bs))) | 1753 bn = byte_stream_getstr(bs, tmp); |
| 1754 if (!g_utf8_validate(bn, -1, NULL)) { | |
| 1755 purple_debug_warning("oscar", "Dropping auth request SNAC " | |
| 1756 "because the username was not valid UTF-8\n"); | |
| 1757 g_free(bn); | |
| 1758 } | |
| 1759 | |
| 1760 /* Read message */ | |
| 1761 tmp = byte_stream_get16(bs); | |
| 1762 if (tmp) { | |
| 1737 msg = byte_stream_getstr(bs, tmp); | 1763 msg = byte_stream_getstr(bs, tmp); |
| 1738 else | 1764 if (!g_utf8_validate(msg, -1, NULL)) { |
| 1765 /* Ugh, msg isn't UTF8. Let's salvage. */ | |
| 1766 purple_debug_warning("oscar", "Got non-UTF8 message in auth " | |
| 1767 "request from %s\n", bn); | |
| 1768 tmpstr = purple_utf8_salvage(msg); | |
| 1769 g_free(msg); | |
| 1770 msg = tmpstr; | |
| 1771 } | |
| 1772 } else | |
| 1739 msg = NULL; | 1773 msg = NULL; |
| 1740 | 1774 |
| 1741 /* Unknown */ | 1775 /* Unknown */ |
| 1742 tmp = byte_stream_get16(bs); | 1776 tmp = byte_stream_get16(bs); |
| 1743 | 1777 |
| 1806 { | 1840 { |
| 1807 int ret = 0; | 1841 int ret = 0; |
| 1808 aim_rxcallback_t userfunc; | 1842 aim_rxcallback_t userfunc; |
| 1809 guint16 tmp; | 1843 guint16 tmp; |
| 1810 guint8 reply; | 1844 guint8 reply; |
| 1811 char *bn, *msg; | 1845 char *bn, *msg, *tmpstr; |
| 1812 | 1846 |
| 1813 /* Read buddy name */ | 1847 /* Read buddy name */ |
| 1814 if ((tmp = byte_stream_get8(bs))) | 1848 tmp = byte_stream_get8(bs); |
| 1815 bn = byte_stream_getstr(bs, tmp); | 1849 if (!tmp) { |
| 1816 else | 1850 purple_debug_warning("oscar", "Dropping auth reply SNAC " |
| 1817 bn = NULL; | 1851 "because username was empty\n"); |
| 1852 return 0; | |
| 1853 } | |
| 1854 bn = byte_stream_getstr(bs, tmp); | |
| 1855 if (!g_utf8_validate(bn, -1, NULL)) { | |
| 1856 purple_debug_warning("oscar", "Dropping auth reply SNAC " | |
| 1857 "because the username was not valid UTF-8\n"); | |
| 1858 g_free(bn); | |
| 1859 } | |
| 1818 | 1860 |
| 1819 /* Read reply */ | 1861 /* Read reply */ |
| 1820 reply = byte_stream_get8(bs); | 1862 reply = byte_stream_get8(bs); |
| 1821 | 1863 |
| 1822 /* Read message (null terminated) */ | 1864 /* Read message */ |
| 1823 if ((tmp = byte_stream_get16(bs))) | 1865 tmp = byte_stream_get16(bs); |
| 1866 if (tmp) { | |
| 1824 msg = byte_stream_getstr(bs, tmp); | 1867 msg = byte_stream_getstr(bs, tmp); |
| 1825 else | 1868 if (!g_utf8_validate(msg, -1, NULL)) { |
| 1869 /* Ugh, msg isn't UTF8. Let's salvage. */ | |
| 1870 purple_debug_warning("oscar", "Got non-UTF8 message in auth " | |
| 1871 "reply from %s\n", bn); | |
| 1872 tmpstr = purple_utf8_salvage(msg); | |
| 1873 g_free(msg); | |
| 1874 msg = tmpstr; | |
| 1875 } | |
| 1876 } else | |
| 1826 msg = NULL; | 1877 msg = NULL; |
| 1827 | 1878 |
| 1828 /* Unknown */ | 1879 /* Unknown */ |
| 1829 tmp = byte_stream_get16(bs); | 1880 tmp = byte_stream_get16(bs); |
| 1830 | 1881 |
| 1846 aim_rxcallback_t userfunc; | 1897 aim_rxcallback_t userfunc; |
| 1847 guint16 tmp; | 1898 guint16 tmp; |
| 1848 char *bn; | 1899 char *bn; |
| 1849 | 1900 |
| 1850 /* Read buddy name */ | 1901 /* Read buddy name */ |
| 1851 if ((tmp = byte_stream_get8(bs))) | 1902 tmp = byte_stream_get8(bs); |
| 1852 bn = byte_stream_getstr(bs, tmp); | 1903 if (!tmp) { |
| 1853 else | 1904 purple_debug_warning("oscar", "Dropping 'you were added' SNAC " |
| 1854 bn = NULL; | 1905 "because username was empty\n"); |
| 1906 return 0; | |
| 1907 } | |
| 1908 bn = byte_stream_getstr(bs, tmp); | |
| 1909 if (!g_utf8_validate(bn, -1, NULL)) { | |
| 1910 purple_debug_warning("oscar", "Dropping 'you were added' SNAC " | |
| 1911 "because the username was not valid UTF-8\n"); | |
| 1912 g_free(bn); | |
| 1913 } | |
| 1855 | 1914 |
| 1856 if ((userfunc = aim_callhandler(od, snac->family, snac->subtype))) | 1915 if ((userfunc = aim_callhandler(od, snac->family, snac->subtype))) |
| 1857 ret = userfunc(od, conn, frame, bn); | 1916 ret = userfunc(od, conn, frame, bn); |
| 1858 | 1917 |
| 1859 g_free(bn); | 1918 g_free(bn); |