File pidgin-CVE-2014-3696 of Package pidgin.220
# HG changeset patch
# User Mark Doliner <mark@kingant.net>
# Date 1396942285 25200
# Tue Apr 08 00:31:25 2014 -0700
# Branch release-2.x.y
# Node ID 44fd8915877754d378f859dae73b64b39d4e7cb0
# Parent 6436e14bdb9d997dfd73cc7cea1b300c37fa401d
In Novell Groupwise, fix potential remote crash parsing server message
that indicates that a large amount of memory should be allocated. I
added arbitrary max size checks that are hopefully larger than any real
expected value. It was kinda weird that the existing check on checked
MAXINT. We'll want to request a CVE ID for this.
Discovered by Yves Younan and Richard Johnson of Sourcefire VRT
diff -r 6436e14bdb9d -r 44fd89158777 libpurple/protocols/novell/nmevent.c
--- a/libpurple/protocols/novell/nmevent.c Mon Apr 07 23:45:55 2014 -0700
+++ b/libpurple/protocols/novell/nmevent.c Tue Apr 08 00:31:25 2014 -0700
@@ -149,7 +149,7 @@
/* Read the conference guid */
rc = nm_read_uint32(conn, &size);
- if (size == MAX_UINT32) return NMERR_PROTOCOL;
+ if (size > 1000) return NMERR_PROTOCOL;
if (rc == NM_OK) {
guid = g_new0(char, size + 1);
@@ -164,7 +164,7 @@
/* Read the message text */
if (rc == NM_OK) {
rc = nm_read_uint32(conn, &size);
- if (size == MAX_UINT32) return NMERR_PROTOCOL;
+ if (size > 100000) return NMERR_PROTOCOL;
if (rc == NM_OK) {
msg = g_new0(char, size + 1);
@@ -270,7 +270,7 @@
/* Read the conference guid */
rc = nm_read_uint32(conn, &size);
- if (size == MAX_UINT32) return NMERR_PROTOCOL;
+ if (size > 1000) return NMERR_PROTOCOL;
if (rc == NM_OK) {
guid = g_new0(char, size + 1);
@@ -280,7 +280,7 @@
/* Read the the message */
if (rc == NM_OK) {
rc = nm_read_uint32(conn, &size);
- if (size == MAX_UINT32) return NMERR_PROTOCOL;
+ if (size > 100000) return NMERR_PROTOCOL;
if (rc == NM_OK) {
msg = g_new0(char, size + 1);
@@ -349,7 +349,7 @@
/* Read the conference guid */
rc = nm_read_uint32(conn, &size);
- if (size == MAX_UINT32) return NMERR_PROTOCOL;
+ if (size > 1000) return NMERR_PROTOCOL;
if (rc == NM_OK) {
guid = g_new0(char, size + 1);
@@ -401,7 +401,7 @@
/* Read the conference guid */
rc = nm_read_uint32(conn, &size);
- if (size == MAX_UINT32) return NMERR_PROTOCOL;
+ if (size > 1000) return NMERR_PROTOCOL;
if (rc == NM_OK) {
guid = g_new0(char, size + 1);
@@ -440,7 +440,7 @@
/* Read the conference guid */
rc = nm_read_uint32(conn, &size);
- if (size == MAX_UINT32) return NMERR_PROTOCOL;
+ if (size > 1000) return NMERR_PROTOCOL;
if (rc == NM_OK) {
guid = g_new0(char, size + 1);
@@ -490,7 +490,7 @@
/* Read the conference guid */
rc = nm_read_uint32(conn, &size);
- if (size == MAX_UINT32) return NMERR_PROTOCOL;
+ if (size > 1000) return NMERR_PROTOCOL;
if (rc == NM_OK) {
guid = g_new0(char, size + 1);
@@ -530,7 +530,7 @@
/* Read the conference guid */
rc = nm_read_uint32(conn, &size);
- if (size == MAX_UINT32) return NMERR_PROTOCOL;
+ if (size > 1000) return NMERR_PROTOCOL;
if (rc == NM_OK) {
guid = g_new0(char, size + 1);
@@ -589,7 +589,7 @@
/* Read the conference guid */
rc = nm_read_uint32(conn, &size);
- if (size == MAX_UINT32) return NMERR_PROTOCOL;
+ if (size > 1000) return NMERR_PROTOCOL;
if (rc == NM_OK) {
guid = g_new0(char, size + 1);
@@ -632,7 +632,7 @@
/* Read the status text */
rc = nm_read_uint32(conn, &size);
- if (size == MAX_UINT32) return NMERR_PROTOCOL;
+ if (size > 10000) return NMERR_PROTOCOL;
if (rc == NM_OK) {
text = g_new0(char, size + 1);
@@ -670,7 +670,7 @@
/* Read the conference guid */
rc = nm_read_uint32(conn, &size);
- if (size == MAX_UINT32) return NMERR_PROTOCOL;
+ if (size > 1000) return NMERR_PROTOCOL;
if (rc == NM_OK) {
guid = g_new0(char, size + 1);
@@ -833,7 +833,10 @@
/* Read the event source */
rc = nm_read_uint32(conn, &size);
if (rc == NM_OK) {
- if (size > 0) {
+ if (size > 1000000) {
+ /* Size is larger than our 1MB sanity check. Ignore it. */
+ rc = NMERR_PROTOCOL;
+ } else {
source = g_new0(char, size);
rc = nm_read_all(conn, source, size);
