view libpurple/protocols/msn/servconn.c @ 32797:aacfb71133cc

Fix a possible MSN remote crash Incoming messages with certain characters or character encodings can cause clients to crash. The fix is for the contents of all incoming plaintext messages are converted to UTF-8 and validated before used. This was reported to us by Fabian Yamaguchi and this patch was written by Elliott Sales de Andrade (maybe with small, insignificant changes by me)
author Mark Doliner <mark@kingant.net>
date Mon, 07 May 2012 03:18:08 +0000
parents 230caecf5435
children 10e5000326a5 3828a61c44da
line wrap: on
line source

/**
 * @file servconn.c Server connection functions
 *
 * purple
 *
 * Purple is the legal property of its developers, whose names are too numerous
 * to list here.  Please refer to the COPYRIGHT file distributed with this
 * source distribution.
 *
 * This program is free software; you can redistribute it and/or modify
 * it under the terms of the GNU General Public License as published by
 * the Free Software Foundation; either version 2 of the License, or
 * (at your option) any later version.
 *
 * This program is distributed in the hope that it will be useful,
 * but WITHOUT ANY WARRANTY; without even the implied warranty of
 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
 * GNU General Public License for more details.
 *
 * You should have received a copy of the GNU General Public License
 * along with this program; if not, write to the Free Software
 * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA  02111-1301  USA
 */
#include "internal.h"
#include "debug.h"

#include "servconn.h"
#include "error.h"

static void read_cb(gpointer data, gint source, PurpleInputCondition cond);
static void servconn_timeout_renew(MsnServConn *servconn);

/**************************************************************************
 * Main
 **************************************************************************/

MsnServConn *
msn_servconn_new(MsnSession *session, MsnServConnType type)
{
	MsnServConn *servconn;

	g_return_val_if_fail(session != NULL, NULL);

	servconn = g_new0(MsnServConn, 1);

	servconn->type = type;

	servconn->session = session;
	servconn->cmdproc = msn_cmdproc_new(session);
	servconn->cmdproc->servconn = servconn;

	servconn->httpconn = msn_httpconn_new(servconn);

	servconn->num = session->servconns_count++;

	servconn->tx_buf = purple_circ_buffer_new(MSN_BUF_LEN);
	servconn->tx_handler = 0;
	servconn->timeout_sec = 0;
	servconn->timeout_handle = 0;

	servconn->fd = -1;

	return servconn;
}

void
msn_servconn_destroy(MsnServConn *servconn)
{
	g_return_if_fail(servconn != NULL);

	if (servconn->processing)
	{
		servconn->wasted = TRUE;
		return;
	}

	msn_servconn_disconnect(servconn);

	if (servconn->destroy_cb)
		servconn->destroy_cb(servconn);

	if (servconn->httpconn != NULL)
		msn_httpconn_destroy(servconn->httpconn);

	g_free(servconn->host);

	purple_circ_buffer_destroy(servconn->tx_buf);
	if (servconn->tx_handler > 0)
		purple_input_remove(servconn->tx_handler);
	if (servconn->timeout_handle > 0)
		purple_timeout_remove(servconn->timeout_handle);

	msn_cmdproc_destroy(servconn->cmdproc);
	g_free(servconn);
}

void
msn_servconn_set_connect_cb(MsnServConn *servconn,
							void (*connect_cb)(MsnServConn *))
{
	g_return_if_fail(servconn != NULL);
	servconn->connect_cb = connect_cb;
}

void
msn_servconn_set_disconnect_cb(MsnServConn *servconn,
							   void (*disconnect_cb)(MsnServConn *))
{
	g_return_if_fail(servconn != NULL);

	servconn->disconnect_cb = disconnect_cb;
}

void
msn_servconn_set_destroy_cb(MsnServConn *servconn,
							void (*destroy_cb)(MsnServConn *))
{
	g_return_if_fail(servconn != NULL);

	servconn->destroy_cb = destroy_cb;
}

/**************************************************************************
 * Utility
 **************************************************************************/

void
msn_servconn_got_error(MsnServConn *servconn, MsnServConnError error,
                       const char *reason)
{
	MsnSession *session = servconn->session;
	MsnServConnType type = servconn->type;

	const char *names[] = { "Notification", "Switchboard" };
	const char *name;

	name = names[type];

	if (reason == NULL) {
		switch (error)
		{
			case MSN_SERVCONN_ERROR_CONNECT:
				reason = _("Unable to connect"); break;
			case MSN_SERVCONN_ERROR_WRITE:
				reason = _("Writing error"); break;
			case MSN_SERVCONN_ERROR_READ:
				reason = _("Reading error"); break;
			default:
				reason = _("Unknown error"); break;
		}
	}

	purple_debug_error("msn", "Connection error from %s server (%s): %s\n",
					 name, servconn->host, reason);

	if (type == MSN_SERVCONN_SB)
	{
		MsnSwitchBoard *swboard;
		swboard = servconn->cmdproc->data;
		if (swboard != NULL)
			swboard->error = MSN_SB_ERROR_CONNECTION;
	}

	/* servconn->disconnect_cb may destroy servconn, so don't use it again */
	msn_servconn_disconnect(servconn);

	if (type == MSN_SERVCONN_NS)
	{
		char *tmp = g_strdup_printf(_("Connection error from %s server:\n%s"),
		                            name, reason);
		msn_session_set_error(session, MSN_ERROR_SERVCONN, tmp);
		g_free(tmp);
	}
}

/**************************************************************************
 * Connect
 **************************************************************************/

static void
connect_cb(gpointer data, gint source, const char *error_message)
{
	MsnServConn *servconn;

	servconn = data;
	servconn->connect_data = NULL;

	servconn->fd = source;

	if (source >= 0)
	{
		servconn->connected = TRUE;

		/* Someone wants to know we connected. */
		servconn->connect_cb(servconn);
		servconn->inpa = purple_input_add(servconn->fd, PURPLE_INPUT_READ,
			read_cb, data);
		servconn_timeout_renew(servconn);
	}
	else
	{
		purple_debug_error("msn", "Connection error: %s\n", error_message);
		msn_servconn_got_error(servconn, MSN_SERVCONN_ERROR_CONNECT, error_message);
	}
}

gboolean
msn_servconn_connect(MsnServConn *servconn, const char *host, int port, gboolean force)
{
	MsnSession *session;

	g_return_val_if_fail(servconn != NULL, FALSE);
	g_return_val_if_fail(host     != NULL, FALSE);
	g_return_val_if_fail(port      > 0,    FALSE);

	session = servconn->session;

	if (servconn->connected)
		msn_servconn_disconnect(servconn);

	g_free(servconn->host);
	servconn->host = g_strdup(host);

	if (session->http_method)
	{
		/* HTTP Connection. */

		if (!servconn->httpconn->connected || force)
			if (!msn_httpconn_connect(servconn->httpconn, host, port))
				return FALSE;

		servconn->connected = TRUE;
		servconn->httpconn->virgin = TRUE;
		servconn_timeout_renew(servconn);

		/* Someone wants to know we connected. */
		servconn->connect_cb(servconn);

		return TRUE;
	}

	servconn->connect_data = purple_proxy_connect(NULL, session->account,
			host, port, connect_cb, servconn);

	return (servconn->connect_data != NULL);
}

void
msn_servconn_disconnect(MsnServConn *servconn)
{
	g_return_if_fail(servconn != NULL);

	if (servconn->connect_data != NULL)
	{
		purple_proxy_connect_cancel(servconn->connect_data);
		servconn->connect_data = NULL;
	}

	if (!servconn->connected)
	{
		/* We could not connect. */
		if (servconn->disconnect_cb != NULL)
			servconn->disconnect_cb(servconn);

		return;
	}

	if (servconn->session->http_method)
	{
		/* Fake disconnection. */
		if (servconn->disconnect_cb != NULL)
			servconn->disconnect_cb(servconn);

		return;
	}

	if (servconn->inpa > 0)
	{
		purple_input_remove(servconn->inpa);
		servconn->inpa = 0;
	}

	if (servconn->timeout_handle > 0)
	{
		purple_timeout_remove(servconn->timeout_handle);
		servconn->timeout_handle = 0;
	}

	close(servconn->fd);

	servconn->rx_buf = NULL;
	servconn->rx_len = 0;
	servconn->payload_len = 0;

	servconn->connected = FALSE;

	if (servconn->disconnect_cb != NULL)
		servconn->disconnect_cb(servconn);
}

static gboolean
servconn_idle_timeout_cb(MsnServConn *servconn)
{
	servconn->timeout_handle = 0;
	msn_servconn_disconnect(servconn);
	return FALSE;
}

static void
servconn_timeout_renew(MsnServConn *servconn)
{
	if (servconn->timeout_handle) {
		purple_timeout_remove(servconn->timeout_handle);
		servconn->timeout_handle = 0;
	}

	if (servconn->connected && servconn->timeout_sec) {
		servconn->timeout_handle = purple_timeout_add_seconds(
			servconn->timeout_sec, (GSourceFunc)servconn_idle_timeout_cb, servconn);
	}
}

void
msn_servconn_set_idle_timeout(MsnServConn *servconn, guint seconds)
{
	servconn->timeout_sec = seconds;
	if (servconn->connected)
		servconn_timeout_renew(servconn);
}

static void
servconn_write_cb(gpointer data, gint source, PurpleInputCondition cond)
{
	MsnServConn *servconn = data;
	gssize ret;
	int writelen;

	writelen = purple_circ_buffer_get_max_read(servconn->tx_buf);

	if (writelen == 0) {
		purple_input_remove(servconn->tx_handler);
		servconn->tx_handler = 0;
		return;
	}

	ret = write(servconn->fd, servconn->tx_buf->outptr, writelen);

	if (ret < 0 && errno == EAGAIN)
		return;
	else if (ret <= 0) {
		msn_servconn_got_error(servconn, MSN_SERVCONN_ERROR_WRITE, NULL);
		return;
	}

	purple_circ_buffer_mark_read(servconn->tx_buf, ret);
	servconn_timeout_renew(servconn);
}

gssize
msn_servconn_write(MsnServConn *servconn, const char *buf, size_t len)
{
	gssize ret = 0;

	g_return_val_if_fail(servconn != NULL, 0);

	if (!servconn->session->http_method)
	{
		if (servconn->tx_handler == 0) {
			switch (servconn->type)
			{
				case MSN_SERVCONN_NS:
				case MSN_SERVCONN_SB:
					ret = write(servconn->fd, buf, len);
					break;
#if 0
				case MSN_SERVCONN_DC:
					ret = write(servconn->fd, &buf, sizeof(len));
					ret = write(servconn->fd, buf, len);
					break;
#endif
				default:
					ret = write(servconn->fd, buf, len);
					break;
			}
		} else {
			ret = -1;
			errno = EAGAIN;
		}

		if (ret < 0 && errno == EAGAIN)
			ret = 0;
		if (ret >= 0 && ret < len) {
			if (servconn->tx_handler == 0)
				servconn->tx_handler = purple_input_add(
					servconn->fd, PURPLE_INPUT_WRITE,
					servconn_write_cb, servconn);
			purple_circ_buffer_append(servconn->tx_buf, buf + ret,
				len - ret);
		}
	}
	else
	{
		ret = msn_httpconn_write(servconn->httpconn, buf, len);
	}

	if (ret == -1)
	{
		msn_servconn_got_error(servconn, MSN_SERVCONN_ERROR_WRITE, NULL);
	}

	servconn_timeout_renew(servconn);
	return ret;
}

static void
read_cb(gpointer data, gint source, PurpleInputCondition cond)
{
	MsnServConn *servconn;
	char buf[MSN_BUF_LEN];
	gssize len;

	servconn = data;

	if (servconn->type == MSN_SERVCONN_NS)
		servconn->session->account->gc->last_received = time(NULL);

	len = read(servconn->fd, buf, sizeof(buf) - 1);
	if (len < 0 && errno == EAGAIN)
		return;
	if (len <= 0) {
		purple_debug_error("msn", "servconn %03d read error, "
			"len: %" G_GSSIZE_FORMAT ", errno: %d, error: %s\n",
			servconn->num, len, errno, g_strerror(errno));
		msn_servconn_got_error(servconn, MSN_SERVCONN_ERROR_READ, NULL);

		return;
	}

	buf[len] = '\0';

	servconn->rx_buf = g_realloc(servconn->rx_buf, len + servconn->rx_len + 1);
	memcpy(servconn->rx_buf + servconn->rx_len, buf, len + 1);
	servconn->rx_len += len;

	servconn = msn_servconn_process_data(servconn);
	if (servconn)
		servconn_timeout_renew(servconn);
}

MsnServConn *msn_servconn_process_data(MsnServConn *servconn)
{
	char *cur, *end, *old_rx_buf;
	int cur_len;

	end = old_rx_buf = servconn->rx_buf;

	servconn->processing = TRUE;

	do
	{
		cur = end;

		if (servconn->payload_len)
		{
			if (servconn->payload_len > servconn->rx_len)
				/* The payload is still not complete. */
				break;

			cur_len = servconn->payload_len;
			end += cur_len;
		}
		else
		{
			end = strstr(cur, "\r\n");

			if (end == NULL)
				/* The command is still not complete. */
				break;

			*end = '\0';
			end += 2;
			cur_len = end - cur;
		}

		servconn->rx_len -= cur_len;

		if (servconn->payload_len)
		{
			msn_cmdproc_process_payload(servconn->cmdproc, cur, cur_len);
			servconn->payload_len = 0;
		}
		else
		{
			msn_cmdproc_process_cmd_text(servconn->cmdproc, cur);
			servconn->payload_len = servconn->cmdproc->last_cmd->payload_len;
		}
	} while (servconn->connected && !servconn->wasted && servconn->rx_len > 0);

	if (servconn->connected && !servconn->wasted)
	{
		if (servconn->rx_len > 0)
			servconn->rx_buf = g_memdup(cur, servconn->rx_len);
		else
			servconn->rx_buf = NULL;
	}

	servconn->processing = FALSE;

	if (servconn->wasted) {
		msn_servconn_destroy(servconn);
		servconn = NULL;
	}

	g_free(old_rx_buf);
	return servconn;
}

#if 0
static int
create_listener(int port)
{
	int fd;
	int flags;
	const int on = 1;

#if 0
	struct addrinfo hints;
	struct addrinfo *c, *res;
	char port_str[5];

	snprintf(port_str, sizeof(port_str), "%d", port);

	memset(&hints, 0, sizeof(hints));

	hints.ai_flags = AI_PASSIVE;
	hints.ai_family = AF_UNSPEC;
	hints.ai_socktype = SOCK_STREAM;

	if (getaddrinfo(NULL, port_str, &hints, &res) != 0)
	{
		purple_debug_error("msn", "Could not get address info: %s.\n",
						 port_str);
		return -1;
	}

	for (c = res; c != NULL; c = c->ai_next)
	{
		fd = socket(c->ai_family, c->ai_socktype, c->ai_protocol);

		if (fd < 0)
			continue;

		setsockopt(fd, SOL_SOCKET, SO_REUSEADDR, &on, sizeof(on));

		if (bind(fd, c->ai_addr, c->ai_addrlen) == 0)
			break;

		close(fd);
	}

	if (c == NULL)
	{
		purple_debug_error("msn", "Could not find socket: %s.\n", port_str);
		return -1;
	}

	freeaddrinfo(res);
#else
	struct sockaddr_in sockin;

	fd = socket(AF_INET, SOCK_STREAM, 0);

	if (fd < 0)
		return -1;

	if (setsockopt(fd, SOL_SOCKET, SO_REUSEADDR, (char *)&on, sizeof(on)) != 0)
	{
		close(fd);
		return -1;
	}

	memset(&sockin, 0, sizeof(struct sockaddr_in));
	sockin.sin_family = AF_INET;
	sockin.sin_port = htons(port);

	if (bind(fd, (struct sockaddr *)&sockin, sizeof(struct sockaddr_in)) != 0)
	{
		close(fd);
		return -1;
	}
#endif

	if (listen (fd, 4) != 0)
	{
		close (fd);
		return -1;
	}

	flags = fcntl(fd, F_GETFL);
	fcntl(fd, F_SETFL, flags | O_NONBLOCK);
#ifndef _WIN32
	fcntl(fd, F_SETFD, FD_CLOEXEC);
#endif

	return fd;
}
#endif