Bugzilla – Attachment 21723 Details for
Bug 56630
VUL-0: CVE-2004-0500: gaim security audit
Home
|
New
|
Browse
|
Search
|
[?]
|
Reports
|
Requests
|
IDP Log In
|
Forgot Password
[patch]
fix for overflows
gaim-0.75-msn-security.diff (text/plain), 1.69 KB, created by
Sebastian Krahmer
on 2004-06-28 20:01:58 UTC
(
hide
)
Description:
fix for overflows
Filename:
MIME Type:
Creator:
Sebastian Krahmer
Created:
2004-06-28 20:01:58 UTC
Size:
1.69 KB
patch
obsolete
>--- servconn.c.orig 2003-12-26 17:37:33.000000000 -0800 >+++ servconn.c 2004-06-26 05:19:13.000000000 -0700 >@@ -146,7 +146,7 @@ > > if (servconn->multiline_type == MSN_MULTILINE_MSG) { > MsnMessage *msg; >- size_t header_len; >+ size_t header_len, left; > > g_snprintf(msg_str, sizeof(msg_str), > "MSG %s %s %d\r\n", >@@ -154,8 +154,10 @@ > servconn->multiline_len); > > header_len = strlen(msg_str); >- >- memcpy(msg_str + header_len, buffer, servconn->multiline_len); >+ left = sizeof(msg_str) - header_len; >+ if (left > servconn->multiline_len) >+ left = servconn->multiline_len; >+ memcpy(msg_str + header_len, buffer, left); > > gaim_debug(GAIM_DEBUG_MISC, "msn", > "Message: {%s}\n", buffer); >@@ -654,3 +656,6 @@ > } > } > } > > >--- msnslp.c.orig 2003-11-22 19:23:02.000000000 -0800 >+++ msnslp.c 2004-06-26 05:23:23.000000000 -0700 >@@ -224,13 +224,17 @@ > /* It's not valid. Kill this off. */ > char temp[32]; > const char *c; >+ size_t offset; > >+ memset(temp, 0, sizeof(temp)); > /* Eww */ > if ((c = strchr(status, '\r')) || (c = strchr(status, '\n')) || > (c = strchr(status, '\0'))) > { >- strncpy(temp, status, c - status); >- temp[c - status] = '\0'; >+ offset = c - status; >+ if (offset >= sizeof(temp)) >+ offset = sizeof(temp) - 1; >+ strncpy(temp, status, offset); > } > > gaim_debug_error("msn", "Received non-OK result: %s\n", temp); >--- msg.c.orig 2003-12-12 22:19:56.000000000 -0800 >+++ msg.c 2004-06-26 05:26:14.000000000 -0700 >@@ -257,7 +257,8 @@ > > msg->msnslp_message = TRUE; > >- memcpy(header, tmp, 48); >+ memset(header, 0, sizeof(header)); >+ memcpy(header, tmp, sizeof(header)-1); > > tmp += 48; > >@@ -901,4 +902,3 @@ > > return table; > } >
<b>You cannot view the attachment while viewing its details because your browser does not support IFRAMEs. <a href="attachment.cgi?id=21723">View the attachment on a separate page</a>.</b>
Actions:
View
|
Diff
Attachments on
bug 56630
:
21723
|
22258
|
22553
|
22593
|
22613
|
22614