changeset
In Novell Groupwise, fix potential remote crash parsing server message
Tue, 08 Apr 2014 00:31:25 -0700
- author
- Mark Doliner <mark@kingant.net>
- date
- Tue, 08 Apr 2014 00:31:25 -0700
- branch
- release-2.x.y
- changeset 36180
- 44fd89158777
- parent 36179
- 6436e14bdb9d
- child 36181
- a324d01ba1c5
In Novell Groupwise, fix potential remote crash parsing server message
that indicates that a large amount of memory should be allocated. I
added arbitrary max size checks that are hopefully larger than any real
expected value. It was kinda weird that the existing check on checked
MAXINT. We'll want to request a CVE ID for this.
Discovered by Yves Younan and Richard Johnson of Sourcefire VRT
| ChangeLog | file | annotate | diff | comparison | revisions | |
| libpurple/protocols/novell/nmevent.c | file | annotate | diff | comparison | revisions |
--- a/ChangeLog Mon Apr 07 23:45:55 2014 -0700 +++ b/ChangeLog Tue Apr 08 00:31:25 2014 -0700 @@ -12,6 +12,11 @@ Gadu-Gadu: * Updated internal libgadu to version 1.12.0-rc2. + Groupwise: + * Fix potential remote crash parsing server message that indicates that + a large amount of memory should be allocated. (Discovered by Yves Younan + and Richard Johnson of Sourcefire VRT) (CVE-2014-NNNN) + MXit: * Fix potential remote crash parsing a malformed emoticon response. (Discovered by Yves Younan and Richard Johnson of Sourcefire VRT)
--- a/libpurple/protocols/novell/nmevent.c Mon Apr 07 23:45:55 2014 -0700 +++ b/libpurple/protocols/novell/nmevent.c Tue Apr 08 00:31:25 2014 -0700 @@ -149,7 +149,7 @@ /* Read the conference guid */ rc = nm_read_uint32(conn, &size); - if (size == MAX_UINT32) return NMERR_PROTOCOL; + if (size > 1000) return NMERR_PROTOCOL; if (rc == NM_OK) { guid = g_new0(char, size + 1); @@ -164,7 +164,7 @@ /* Read the message text */ if (rc == NM_OK) { rc = nm_read_uint32(conn, &size); - if (size == MAX_UINT32) return NMERR_PROTOCOL; + if (size > 100000) return NMERR_PROTOCOL; if (rc == NM_OK) { msg = g_new0(char, size + 1); @@ -270,7 +270,7 @@ /* Read the conference guid */ rc = nm_read_uint32(conn, &size); - if (size == MAX_UINT32) return NMERR_PROTOCOL; + if (size > 1000) return NMERR_PROTOCOL; if (rc == NM_OK) { guid = g_new0(char, size + 1); @@ -280,7 +280,7 @@ /* Read the the message */ if (rc == NM_OK) { rc = nm_read_uint32(conn, &size); - if (size == MAX_UINT32) return NMERR_PROTOCOL; + if (size > 100000) return NMERR_PROTOCOL; if (rc == NM_OK) { msg = g_new0(char, size + 1); @@ -349,7 +349,7 @@ /* Read the conference guid */ rc = nm_read_uint32(conn, &size); - if (size == MAX_UINT32) return NMERR_PROTOCOL; + if (size > 1000) return NMERR_PROTOCOL; if (rc == NM_OK) { guid = g_new0(char, size + 1); @@ -401,7 +401,7 @@ /* Read the conference guid */ rc = nm_read_uint32(conn, &size); - if (size == MAX_UINT32) return NMERR_PROTOCOL; + if (size > 1000) return NMERR_PROTOCOL; if (rc == NM_OK) { guid = g_new0(char, size + 1); @@ -440,7 +440,7 @@ /* Read the conference guid */ rc = nm_read_uint32(conn, &size); - if (size == MAX_UINT32) return NMERR_PROTOCOL; + if (size > 1000) return NMERR_PROTOCOL; if (rc == NM_OK) { guid = g_new0(char, size + 1); @@ -490,7 +490,7 @@ /* Read the conference guid */ rc = nm_read_uint32(conn, &size); - if (size == MAX_UINT32) return NMERR_PROTOCOL; + if (size > 1000) return NMERR_PROTOCOL; if (rc == NM_OK) { guid = g_new0(char, size + 1); @@ -530,7 +530,7 @@ /* Read the conference guid */ rc = nm_read_uint32(conn, &size); - if (size == MAX_UINT32) return NMERR_PROTOCOL; + if (size > 1000) return NMERR_PROTOCOL; if (rc == NM_OK) { guid = g_new0(char, size + 1); @@ -589,7 +589,7 @@ /* Read the conference guid */ rc = nm_read_uint32(conn, &size); - if (size == MAX_UINT32) return NMERR_PROTOCOL; + if (size > 1000) return NMERR_PROTOCOL; if (rc == NM_OK) { guid = g_new0(char, size + 1); @@ -632,7 +632,7 @@ /* Read the status text */ rc = nm_read_uint32(conn, &size); - if (size == MAX_UINT32) return NMERR_PROTOCOL; + if (size > 10000) return NMERR_PROTOCOL; if (rc == NM_OK) { text = g_new0(char, size + 1); @@ -670,7 +670,7 @@ /* Read the conference guid */ rc = nm_read_uint32(conn, &size); - if (size == MAX_UINT32) return NMERR_PROTOCOL; + if (size > 1000) return NMERR_PROTOCOL; if (rc == NM_OK) { guid = g_new0(char, size + 1); @@ -833,7 +833,10 @@ /* Read the event source */ rc = nm_read_uint32(conn, &size); if (rc == NM_OK) { - if (size > 0) { + if (size > 1000000) { + /* Size is larger than our 1MB sanity check. Ignore it. */ + rc = NMERR_PROTOCOL; + } else { source = g_new0(char, size); rc = nm_read_all(conn, source, size);
