# HG changeset patch # User Mark Doliner # Date 1108350426 0 # Node ID de34037a02c7310056fca566ee2e48475414503f # Parent a78d9fac818306d50a2acd76de191c48dcdf8e1c [gaim-migrate @ 12010] Forward port some other stuff from oldstatus committer: Tailor Script diff -r a78d9fac8183 -r de34037a02c7 src/protocols/oscar/aim.h --- a/src/protocols/oscar/aim.h Mon Feb 14 03:02:36 2005 +0000 +++ b/src/protocols/oscar/aim.h Mon Feb 14 03:07:06 2005 +0000 @@ -716,7 +716,7 @@ } aim_mpmsg_section_t; typedef struct aim_mpmsg_s { - int numparts; + unsigned int numparts; aim_mpmsg_section_t *parts; } aim_mpmsg_t; @@ -751,8 +751,8 @@ fu32_t iconsum; /* Only used if AIM_IMFLAGS_CUSTOMFEATURES is set */ + fu16_t featureslen; fu8_t *features; - fu8_t featureslen; /* Only used if AIM_IMFLAGS_CUSTOMCHARSET is set and mpmsg not used */ fu16_t charset; diff -r a78d9fac8183 -r de34037a02c7 src/protocols/oscar/bstream.c --- a/src/protocols/oscar/bstream.c Mon Feb 14 03:02:36 2005 +0000 +++ b/src/protocols/oscar/bstream.c Mon Feb 14 03:07:06 2005 +0000 @@ -49,10 +49,15 @@ return; } +/* + * N can be negative, which can be used for going backwards + * in a bstream. I'm not sure if libfaim actually does + * this anywhere... + */ faim_internal int aim_bstream_advance(aim_bstream_t *bs, int n) { - if (aim_bstream_empty(bs) < n) + if ((aim_bstream_curpos(bs) + n < 0) || (aim_bstream_empty(bs) < n)) return 0; /* XXX throw an exception */ bs->offset += n; diff -r a78d9fac8183 -r de34037a02c7 src/protocols/oscar/icq.c --- a/src/protocols/oscar/icq.c Mon Feb 14 03:02:36 2005 +0000 +++ b/src/protocols/oscar/icq.c Mon Feb 14 03:07:06 2005 +0000 @@ -117,8 +117,8 @@ } /** - * I don't know why we have this function and the one above... - * Maybe one of them is wrong? Maybe they both really DO exist? + * I'm not really sure what the difference is between this function + * and the one above. They both definitely exist. */ faim_export int aim_icq_setauthsetting(aim_session_t *sess, int auth_required) { @@ -152,7 +152,7 @@ aimbs_putle8(&fr->data, auth_required); aimbs_putle8(&fr->data, 0x0c); aimbs_putle16(&fr->data, 0x0103); - aimbs_putle16(&fr->data, 0x0000); + aimbs_putle16(&fr->data, 0x0000); /* web enabled or not! */ aim_tx_enqueue(sess, fr); diff -r a78d9fac8183 -r de34037a02c7 src/protocols/oscar/im.c --- a/src/protocols/oscar/im.c Mon Feb 14 03:02:36 2005 +0000 +++ b/src/protocols/oscar/im.c Mon Feb 14 03:07:06 2005 +0000 @@ -248,7 +248,7 @@ return -EINVAL; if (args->flags & AIM_IMFLAGS_MULTIPART) { - if (args->mpmsg->numparts <= 0) + if (args->mpmsg->numparts == 0) return -EINVAL; } else { if (!args->msg || (args->msglen <= 0)) @@ -1332,6 +1332,11 @@ /* Message string length, including character set info. */ msglen = aimbs_get16(&mbs); + if (msglen > aim_bstream_empty(&mbs)) + { + faimdprintf(sess, 0, "Received an IM containing an invalid message part from %s. They are probably trying to do something malicious."); + break; + } /* Character set info */ flag1 = aimbs_get16(&mbs); @@ -1411,7 +1416,7 @@ aim_rxcallback_t userfunc; int ret = 0; struct aim_incomingim_ch1_args args; - int endpos; + unsigned int endpos; memset(&args, 0, sizeof(args)); @@ -1422,11 +1427,17 @@ * I've changed it to process the TLVs in-place. This avoids lots * of per-IM memory allocations. */ - while (aim_bstream_empty(bs)) { - + while (aim_bstream_empty(bs)) + { type = aimbs_get16(bs); length = aimbs_get16(bs); + if (length > aim_bstream_empty(bs)) + { + faimdprintf(sess, 0, "Received an IM containing an invalid message part from %s. They are probably trying to do something malicious.\n", userinfo->sn); + break; + } + endpos = aim_bstream_curpos(bs) + length; if (type == 0x0002) { /* Message Block */ @@ -1444,10 +1455,20 @@ aimbs_get8(bs); /* 01 */ args.featureslen = aimbs_get16(bs); - /* XXX XXX this is all evil! */ - args.features = bs->data + bs->offset; - aim_bstream_advance(bs, args.featureslen); - args.icbmflags |= AIM_IMFLAGS_CUSTOMFEATURES; + if (args.featureslen > aim_bstream_empty(bs)) + { + faimdprintf(sess, 0, "Received an IM containing an invalid message part from %s. They are probably trying to do something malicious.\n", userinfo->sn); + break; + } + if (args.featureslen == 0) + { + args.features = NULL; + } + else + { + args.features = aimbs_getraw(bs, args.featureslen); + args.icbmflags |= AIM_IMFLAGS_CUSTOMFEATURES; + } /* * The rest of the TLV contains one or more message @@ -1498,8 +1519,17 @@ } else if (type == 0x0017) { + free(args.extdata); args.extdatalen = length; - args.extdata = aimbs_getraw(bs, args.extdatalen); + if (args.extdatalen > aim_bstream_empty(bs)) + { + faimdprintf(sess, 0, "Received an IM containing an invalid message part from %s. They are probably trying to do something malicious.\n", userinfo->sn); + break; + } + if (args.extdatalen == 0) + args.extdata = NULL; + else + args.extdata = aimbs_getraw(bs, args.extdatalen); } else { faimdprintf(sess, 0, "incomingim_ch1: unknown TLV 0x%04x (len %d)\n", type, length); @@ -1521,6 +1551,7 @@ ret = userfunc(sess, rx, channel, userinfo, &args); aim_mpmsg_free(sess, &args.mpmsg); + free(args.features); free(args.extdata); return ret; diff -r a78d9fac8183 -r de34037a02c7 src/protocols/oscar/oscar.c --- a/src/protocols/oscar/oscar.c Mon Feb 14 03:02:36 2005 +0000 +++ b/src/protocols/oscar/oscar.c Mon Feb 14 03:07:06 2005 +0000 @@ -3332,6 +3332,9 @@ gaim_debug_misc("oscar", "Received IM from %s with %d parts\n", userinfo->sn, args->mpmsg.numparts); + if (args->mpmsg.numparts == 0) + return 1; + bi = g_hash_table_lookup(od->buddyinfo, gaim_normalize(account, userinfo->sn)); if (!bi) { bi = g_new0(struct buddyinfo, 1);