Bugzilla – Attachment 38961 Details for
Bug 90337
VUL-0: CVE-2005-1934: another gaim DoS
Home
|
New
|
Browse
|
Search
|
[?]
|
Reports
|
Requests
|
IDP Log In
|
Forgot Password
[patch]
msn_malformed_MSG_fix.patch
msn_malformed_MSG_fix.patch (text/plain), 2.33 KB, created by
Ludwig Nussel
on 2005-06-10 07:00:14 UTC
(
hide
)
Description:
msn_malformed_MSG_fix.patch
Filename:
MIME Type:
Creator:
Ludwig Nussel
Created:
2005-06-10 07:00:14 UTC
Size:
2.33 KB
patch
obsolete
>Index: src/protocols/msn/msg.c >=================================================================== >RCS file: /cvsroot/gaim/gaim/src/protocols/msn/msg.c,v >retrieving revision 1.36.2.8 >diff -u -d -p -r1.36.2.8 msg.c >--- src/protocols/msn/msg.c 7 Jan 2005 02:48:05 -0000 1.36.2.8 >+++ src/protocols/msn/msg.c 8 Jun 2005 21:29:23 -0000 >@@ -205,7 +205,10 @@ msn_message_parse_payload(MsnMessage *ms > /* TODO? some clients use \r delimiters instead of \r\n, the official client > * doesn't send such messages, but does handle receiving them. We'll just > * avoid crashing for now */ >- g_return_if_fail(end != NULL); >+ if (end == NULL) { >+ g_free(tmp_base); >+ g_return_if_reached(); >+ } > *end = '\0'; > > elems = g_strsplit(tmp, "\r\n", 0); >@@ -252,6 +255,7 @@ msn_message_parse_payload(MsnMessage *ms > > g_strfreev(elems); > >+ /* Proceed to the end of the "\r\n\r\n" */ > tmp = end + 4; > > /* Now we *should* be at the body. */ >@@ -262,6 +266,12 @@ msn_message_parse_payload(MsnMessage *ms > { > MsnSlpHeader header; > MsnSlpFooter footer; >+ int body_len; >+ >+ if (payload_len - (tmp - tmp_base) < sizeof(header)) { >+ g_free(tmp_base); >+ g_return_if_reached(); >+ } > > msg->msnslp_message = TRUE; > >@@ -279,24 +289,28 @@ msn_message_parse_payload(MsnMessage *ms > msg->msnslp_header.ack_sub_id = GUINT32_FROM_LE(header.ack_sub_id); > msg->msnslp_header.ack_size = GUINT64_FROM_LE(header.ack_size); > >- /* Import the body. */ >- msg->body_len = payload_len - (tmp - tmp_base) - sizeof(footer); >+ body_len = payload_len - (tmp - tmp_base) - sizeof(footer); > >- if (msg->body_len > 0) >+ /* Import the body. */ >+ if (body_len > 0) { >+ msg->body_len = body_len; > msg->body = g_memdup(tmp, msg->body_len); >- >- tmp += msg->body_len; >+ tmp += body_len; >+ } > > /* Import the footer. */ >- memcpy(&footer, tmp, sizeof(footer)); >- tmp += sizeof(footer); >- >- msg->msnslp_footer.value = GUINT32_FROM_BE(footer.value); >+ if (body_len >= 0) { >+ memcpy(&footer, tmp, sizeof(footer)); >+ tmp += sizeof(footer); >+ msg->msnslp_footer.value = GUINT32_FROM_BE(footer.value); >+ } > } > else > { >- msg->body_len = payload_len - (tmp - tmp_base); >- msg->body = g_memdup(tmp, msg->body_len); >+ if (payload_len - (tmp - tmp_base) > 0) { >+ msg->body_len = payload_len - (tmp - tmp_base); >+ msg->body = g_memdup(tmp, msg->body_len); >+ } > } > > g_free(tmp_base);
<b>You cannot view the attachment while viewing its details because your browser does not support IFRAMEs. <a href="attachment.cgi?id=38961">View the attachment on a separate page</a>.</b>
Actions:
View
|
Diff
Attachments on
bug 90337
: 38961