Fix a bug where the MXit server or a man-in-the-middle could release-2.x.y
authorMark Doliner <mark@kingant.net>
Mon, 11 Feb 2013 01:09:30 -0800
branchrelease-2.x.y
changeset879db2a9a59c pushlog
parent a8aef1d340f2
child c31cf8de31cd
Fix a bug where the MXit server or a man-in-the-middle could
potentially send specially crafted data that could overflow a buffer
and lead to a crash or remote code execution.

This is CVE-2013-0272.

The problem was detected by Coverity static analysis, and Daniel Atallah
brought it to everyone's attention and got us to fix it.
ChangeLog
libpurple/protocols/mxit/http.c
     1.1 --- a/ChangeLog
     1.2 +++ b/ChangeLog
     1.3 @@ -39,6 +39,9 @@
     1.4  	MXit:
     1.5  	* Fix a bug where a remote MXit user could possibly specify a local
     1.6  	  file path to be written to. (CVE-2013-0271)
     1.7 +	* Fix a bug where the MXit server or a man-in-the-middle could
     1.8 +	  potentially send specially crafted data that could overflow a buffer
     1.9 +	  and lead to a crash or remote code execution. (CVE-2013-0272)
    1.10  	* Display farewell messages in a different colour to distinguish
    1.11  	  them from normal messages.
    1.12  	* Add support for typing notification.
     2.1 --- a/libpurple/protocols/mxit/http.c
     2.2 +++ b/libpurple/protocols/mxit/http.c
     2.3 @@ -116,11 +116,12 @@
     2.4  		buflen = session->rx_i;
     2.5  
     2.6  		/* read bytes from the socket */
     2.7 -		len = read( session->fd, buf + buflen, sizeof( buf ) - buflen );
     2.8 +		len = read( session->fd, buf + buflen, sizeof( buf ) - ( buflen + 1 ) );
     2.9  		if ( len <= 0 ) {
    2.10  			/* connection has been terminated, or error occurred */
    2.11  			goto done;
    2.12  		}
    2.13 +		buf[buflen+len] = '\0';
    2.14  
    2.15  //nextpacket:
    2.16  
    2.17 @@ -181,7 +182,11 @@
    2.18  		g_free( tmp );
    2.19  		tmp = NULL;
    2.20  
    2.21 -		if ( buflen > ( ( body - buf ) + bodylen ) ) {
    2.22 +		if ( buflen + bodylen >= CP_MAX_PACKET ) {
    2.23 +			/* this packet is way to big */
    2.24 +			goto done;
    2.25 +		}
    2.26 +		else if ( buflen > ( ( body - buf ) + bodylen ) ) {
    2.27  			/* we have a second packet here */
    2.28  			next = body + bodylen;
    2.29  			session->rx_res = 0;