# HG changeset patch # User Mark Doliner # Date 1336037291 0 # Node ID 069919a0896c704553bdad69707bfc1ceea1f915 # Parent 4d33c1b307880f65fe54aca5dcfb1b508f642a82 Validate utf8 for a few random strings that we read, in case AOL or ICQ decide to start sending us non-utf8 diff -r 4d33c1b30788 -r 069919a0896c libpurple/protocols/oscar/family_auth.c --- a/libpurple/protocols/oscar/family_auth.c Thu May 03 08:36:47 2012 +0000 +++ b/libpurple/protocols/oscar/family_auth.c Thu May 03 09:28:11 2012 +0000 @@ -27,6 +27,7 @@ */ #include "oscar.h" +#include "oscarcommon.h" #include @@ -506,14 +507,29 @@ static int keyparse(OscarData *od, FlapConnection *conn, aim_module_t *mod, FlapFrame *frame, aim_modsnac_t *snac, ByteStream *bs) { - int keylen, ret = 1; - aim_rxcallback_t userfunc; + int keylen; char *keystr; GSList *tlvlist; gboolean truncate_pass; + PurpleConnection *gc; + PurpleAccount *account; + ClientInfo aiminfo = CLIENTINFO_PURPLE_AIM; + ClientInfo icqinfo = CLIENTINFO_PURPLE_ICQ; + + gc = od->gc; + account = purple_connection_get_account(gc); keylen = byte_stream_get16(bs); keystr = byte_stream_getstr(bs, keylen); + if (!g_utf8_validate(keystr, -1, NULL)) { + purple_debug_warning("oscar", "Received SNAC %04hx/%04hx with " + "invalid UTF-8 keystr.\n", snac->family, snac->subtype); + purple_connection_error(gc, PURPLE_CONNECTION_ERROR_OTHER_ERROR, + _("Received unexpected response from server")); + g_free(keystr); + return 1; + } + tlvlist = aim_tlvlist_read(bs); /* @@ -527,13 +543,18 @@ * for the netscape network. This SNAC had a type 0x0058 TLV with length 10. * Data is 0x0007 0004 3e19 ae1e 0006 0004 0000 0005 */ - if ((userfunc = aim_callhandler(od, snac->family, snac->subtype))) - ret = userfunc(od, conn, frame, keystr, (int)truncate_pass); + aim_send_login(od, conn, purple_account_get_username(account), + purple_connection_get_password(gc), truncate_pass, + od->icq ? &icqinfo : &aiminfo, keystr, + purple_account_get_bool(account, "allow_multiple_logins", OSCAR_DEFAULT_ALLOW_MULTIPLE_LOGINS)); + + purple_connection_update_progress(gc, + _("Password sent"), 2, OSCAR_CONNECT_STEPS); g_free(keystr); aim_tlvlist_free(tlvlist); - return ret; + return 1; } /** diff -r 4d33c1b30788 -r 069919a0896c libpurple/protocols/oscar/family_bart.c --- a/libpurple/protocols/oscar/family_bart.c Thu May 03 08:36:47 2012 +0000 +++ b/libpurple/protocols/oscar/family_bart.c Thu May 03 09:28:11 2012 +0000 @@ -143,6 +143,12 @@ guint8 iconcsumtype, iconcsumlen, *iconcsum, *icon; bn = byte_stream_getstr(bs, byte_stream_get8(bs)); + if (!g_utf8_validate(bn, -1, NULL)) { + purple_debug_warning("oscar", "Received SNAC %04hx/%04hx with " + "invalid UTF-8 buddy name.\n", snac->family, snac->subtype); + g_free(bn); + return 1; + } flags = byte_stream_get16(bs); iconcsumtype = byte_stream_get8(bs); iconcsumlen = byte_stream_get8(bs); diff -r 4d33c1b30788 -r 069919a0896c libpurple/protocols/oscar/family_icbm.c --- a/libpurple/protocols/oscar/family_icbm.c Thu May 03 08:36:47 2012 +0000 +++ b/libpurple/protocols/oscar/family_icbm.c Thu May 03 09:28:11 2012 +0000 @@ -2095,6 +2095,12 @@ channel = byte_stream_get16(bs); bnlen = byte_stream_get8(bs); bn = byte_stream_getstr(bs, bnlen); + if (!g_utf8_validate(bn, -1, NULL)) { + purple_debug_warning("oscar", "Received SNAC %04hx/%04hx with " + "invalid UTF-8 buddy name.\n", snac->family, snac->subtype); + g_free(bn); + return 1; + } event = byte_stream_get16(bs); if ((userfunc = aim_callhandler(od, snac->family, snac->subtype))) diff -r 4d33c1b30788 -r 069919a0896c libpurple/protocols/oscar/oscar.c --- a/libpurple/protocols/oscar/oscar.c Thu May 03 08:36:47 2012 +0000 +++ b/libpurple/protocols/oscar/oscar.c Thu May 03 09:28:11 2012 +0000 @@ -55,8 +55,6 @@ #define AIMHASHDATA "http://pidgin.im/aim_data.php3" -#define OSCAR_CONNECT_STEPS 6 - static guint64 purple_caps = OSCAR_CAPABILITY_CHAT | OSCAR_CAPABILITY_BUDDYICON @@ -89,7 +87,6 @@ /* Only used when connecting with the old-style BUCP login */ static int purple_parse_auth_resp (OscarData *, FlapConnection *, FlapFrame *, ...); -static int purple_parse_login (OscarData *, FlapConnection *, FlapFrame *, ...); static int purple_parse_auth_securid_request(OscarData *, FlapConnection *, FlapFrame *, ...); static int purple_handle_redirect (OscarData *, FlapConnection *, FlapFrame *, ...); @@ -673,7 +670,6 @@ /* These are only needed when connecting with the old-style BUCP login */ oscar_data_addhandler(od, SNAC_FAMILY_AUTH, 0x0003, purple_parse_auth_resp, 0); - oscar_data_addhandler(od, SNAC_FAMILY_AUTH, 0x0007, purple_parse_login, 0); oscar_data_addhandler(od, SNAC_FAMILY_AUTH, SNAC_SUBTYPE_AUTH_SECURID_REQUEST, purple_parse_auth_securid_request, 0); oscar_data_addhandler(od, SNAC_FAMILY_BART, SNAC_SUBTYPE_BART_RESPONSE, purple_icon_parseicon, 0); @@ -1232,38 +1228,6 @@ return 1; } -/** - * Only used when connecting with the old-style BUCP login. - */ -static int -purple_parse_login(OscarData *od, FlapConnection *conn, FlapFrame *fr, ...) -{ - PurpleConnection *gc; - PurpleAccount *account; - ClientInfo aiminfo = CLIENTINFO_PURPLE_AIM; - ClientInfo icqinfo = CLIENTINFO_PURPLE_ICQ; - va_list ap; - char *key; - gboolean truncate_pass; - - gc = od->gc; - account = purple_connection_get_account(gc); - - va_start(ap, fr); - key = va_arg(ap, char *); - truncate_pass = va_arg(ap, int); - va_end(ap); - - aim_send_login(od, conn, purple_account_get_username(account), - purple_connection_get_password(gc), truncate_pass, - od->icq ? &icqinfo : &aiminfo, key, - purple_account_get_bool(account, "allow_multiple_logins", OSCAR_DEFAULT_ALLOW_MULTIPLE_LOGINS)); - - purple_connection_update_progress(gc, _("Password sent"), 2, OSCAR_CONNECT_STEPS); - - return 1; -} - static int purple_handle_redirect(OscarData *od, FlapConnection *conn, FlapFrame *fr, ...) { diff -r 4d33c1b30788 -r 069919a0896c libpurple/protocols/oscar/oscar.h --- a/libpurple/protocols/oscar/oscar.h Thu May 03 08:36:47 2012 +0000 +++ b/libpurple/protocols/oscar/oscar.h Thu May 03 09:28:11 2012 +0000 @@ -114,6 +114,8 @@ #define AIM_MD5_STRING "AOL Instant Messenger (SM)" +#define OSCAR_CONNECT_STEPS 6 + /* * Client info. Filled in by the client and passed in to * aim_send_login(). The information ends up getting passed to OSCAR