Mercurial > pidgin
comparison libpurple/protocols/oscar/family_icbm.c @ 25462:a3e3c6331e06
Fix recipt of ICQ messages from the mobile client "Slick." Fixes #7084, #7595.
committer: John Bailey <rekkanoryo@rekkanoryo.org>
author | david.jedelsky@gmail.com |
---|---|
date | Sun, 15 Feb 2009 19:01:58 +0000 |
parents | 531922f4ea2a |
children | 4b8c4870b13a |
comparison
equal
deleted
inserted
replaced
25453:a946cffda321 | 25462:a3e3c6331e06 |
---|---|
1564 return 0; | 1564 return 0; |
1565 } | 1565 } |
1566 | 1566 |
1567 static int incomingim_ch1(OscarData *od, FlapConnection *conn, aim_module_t *mod, FlapFrame *frame, aim_modsnac_t *snac, guint16 channel, aim_userinfo_t *userinfo, ByteStream *bs, guint8 *cookie) | 1567 static int incomingim_ch1(OscarData *od, FlapConnection *conn, aim_module_t *mod, FlapFrame *frame, aim_modsnac_t *snac, guint16 channel, aim_userinfo_t *userinfo, ByteStream *bs, guint8 *cookie) |
1568 { | 1568 { |
1569 guint16 type, length; | 1569 guint16 type, length, magic1, msglen; |
1570 aim_rxcallback_t userfunc; | 1570 aim_rxcallback_t userfunc; |
1571 int ret = 0; | 1571 int ret = 0; |
1572 int rev = 0; | |
1572 struct aim_incomingim_ch1_args args; | 1573 struct aim_incomingim_ch1_args args; |
1573 unsigned int endpos; | 1574 unsigned int endpos; |
1574 | 1575 |
1575 memset(&args, 0, sizeof(args)); | 1576 memset(&args, 0, sizeof(args)); |
1576 | 1577 |
1601 * - 0501 -- Unknown | 1602 * - 0501 -- Unknown |
1602 * - Features: Don't know how to interpret these | 1603 * - Features: Don't know how to interpret these |
1603 * - 0101 -- Unknown | 1604 * - 0101 -- Unknown |
1604 * - Message | 1605 * - Message |
1605 * | 1606 * |
1607 * Slick and possible others reverse 'Features' and 'Messages' section. | |
1608 * Thus, the TLV could have following layout: | |
1609 * - 0101 -- Unknown (possibly magic for message section) | |
1610 * - Message | |
1611 * - 0501 -- Unknown (possibly magic for features section) | |
1612 * - Features: Don't know how to interpret these | |
1606 */ | 1613 */ |
1607 | 1614 |
1608 byte_stream_get8(bs); /* 05 */ | 1615 magic1 = byte_stream_get16(bs); /* 0501 or 0101 */ |
1609 byte_stream_get8(bs); /* 01 */ | 1616 if (magic1 == 0x101) /* Bad, message comes before attributes */ |
1617 { | |
1618 /* Jump to the features section */ | |
1619 msglen = byte_stream_get16(bs); | |
1620 bs->offset += msglen; | |
1621 rev = 1; | |
1622 | |
1623 magic1 = byte_stream_get16(bs); /* 0501 */ | |
1624 } | |
1625 | |
1626 if (magic1 != 0x501) | |
1627 { | |
1628 purple_debug_misc("oscar", "Received an IM containing an invalid message part from %s. They are probably trying to do something malicious.\n", userinfo->sn); | |
1629 break; | |
1630 } | |
1610 | 1631 |
1611 args.featureslen = byte_stream_get16(bs); | 1632 args.featureslen = byte_stream_get16(bs); |
1612 if (args.featureslen > byte_stream_empty(bs)) | 1633 if (args.featureslen > byte_stream_empty(bs)) |
1613 { | 1634 { |
1614 purple_debug_misc("oscar", "Received an IM containing an invalid message part from %s. They are probably trying to do something malicious.\n", userinfo->sn); | 1635 purple_debug_misc("oscar", "Received an IM containing an invalid message part from %s. They are probably trying to do something malicious.\n", userinfo->sn); |
1622 { | 1643 { |
1623 args.features = byte_stream_getraw(bs, args.featureslen); | 1644 args.features = byte_stream_getraw(bs, args.featureslen); |
1624 args.icbmflags |= AIM_IMFLAGS_CUSTOMFEATURES; | 1645 args.icbmflags |= AIM_IMFLAGS_CUSTOMFEATURES; |
1625 } | 1646 } |
1626 | 1647 |
1648 if (rev) | |
1649 { | |
1650 /* Fix buffer back to message */ | |
1651 bs->offset -= args.featureslen + 2 + 2 + msglen + 2 + 2; | |
1652 } | |
1653 | |
1654 magic1 = byte_stream_get16(bs); /* 01 01 */ | |
1655 if (magic1 != 0x101) /* Bad, message comes before attributes */ | |
1656 { | |
1657 purple_debug_misc("oscar", "Received an IM containing an invalid message part from %s. They are probably trying to do something malicious.\n", userinfo->sn); | |
1658 break; | |
1659 } | |
1660 msglen = byte_stream_get16(bs); | |
1661 | |
1627 /* | 1662 /* |
1628 * The rest of the TLV contains one or more message | 1663 * The rest of the TLV contains one or more message |
1629 * blocks... | 1664 * blocks... |
1630 */ | 1665 */ |
1631 incomingim_ch1_parsemsgs(od, userinfo, bs->data + bs->offset /* XXX evil!!! */, length - 2 - 2 - args.featureslen, &args); | 1666 incomingim_ch1_parsemsgs(od, userinfo, bs->data + bs->offset - 2 - 2 /* XXX evil!!! */, msglen + 2 + 2, &args); |
1632 | 1667 |
1633 } else if (type == 0x0003) { /* Server Ack Requested */ | 1668 } else if (type == 0x0003) { /* Server Ack Requested */ |
1634 | 1669 |
1635 args.icbmflags |= AIM_IMFLAGS_ACK; | 1670 args.icbmflags |= AIM_IMFLAGS_ACK; |
1636 | 1671 |