Fix a bug where the MXit server or a man-in-the-middle could release-2.x.y
authorMark Doliner <mark@kingant.net>
Mon, 11 Feb 2013 01:09:30 -0800
branchrelease-2.x.y
changeset879db2a9a59c pushlog
parent a8aef1d340f2
child c31cf8de31cd
Fix a bug where the MXit server or a man-in-the-middle could
potentially send specially crafted data that could overflow a buffer
and lead to a crash or remote code execution.

This is CVE-2013-0272.

The problem was detected by Coverity static analysis, and Daniel Atallah
brought it to everyone's attention and got us to fix it.
ChangeLog
libpurple/protocols/mxit/http.c
      1.1 --- a/ChangeLog
      1.2 +++ b/ChangeLog
      1.3 @@ -39,6 +39,9 @@
      1.4  	MXit:
      1.5  	* Fix a bug where a remote MXit user could possibly specify a local
      1.6  	  file path to be written to. (CVE-2013-0271)
      1.7 +	* Fix a bug where the MXit server or a man-in-the-middle could
      1.8 +	  potentially send specially crafted data that could overflow a buffer
      1.9 +	  and lead to a crash or remote code execution. (CVE-2013-0272)
     1.10  	* Display farewell messages in a different colour to distinguish
     1.11  	  them from normal messages.
     1.12  	* Add support for typing notification.
      2.1 --- a/libpurple/protocols/mxit/http.c
      2.2 +++ b/libpurple/protocols/mxit/http.c
      2.3 @@ -116,11 +116,12 @@
      2.4  		buflen = session->rx_i;
      2.5  
      2.6  		/* read bytes from the socket */
      2.7 -		len = read( session->fd, buf + buflen, sizeof( buf ) - buflen );
      2.8 +		len = read( session->fd, buf + buflen, sizeof( buf ) - ( buflen + 1 ) );
      2.9  		if ( len <= 0 ) {
     2.10  			/* connection has been terminated, or error occurred */
     2.11  			goto done;
     2.12  		}
     2.13 +		buf[buflen+len] = '\0';
     2.14  
     2.15  //nextpacket:
     2.16  
     2.17 @@ -181,7 +182,11 @@
     2.18  		g_free( tmp );
     2.19  		tmp = NULL;
     2.20  
     2.21 -		if ( buflen > ( ( body - buf ) + bodylen ) ) {
     2.22 +		if ( buflen + bodylen >= CP_MAX_PACKET ) {
     2.23 +			/* this packet is way to big */
     2.24 +			goto done;
     2.25 +		}
     2.26 +		else if ( buflen > ( ( body - buf ) + bodylen ) ) {
     2.27  			/* we have a second packet here */
     2.28  			next = body + bodylen;
     2.29  			session->rx_res = 0;