[libgadu-commit] r638 - in trunk: src test/protocol/tests

Libgadu commit list libgadu-commit at lists.ziew.org
Thu Oct 23 23:50:30 CEST 2008 

Author: wojtekka
Date: 2008-10-23 23:50:29 +0200 (Thu, 23 Oct 2008)
New Revision: 638

Modified:
   trunk/src/events.c
   trunk/test/protocol/tests/10-contacts.scr
Log:
Poprawka błędu analizowania pakietów GG_NOTIFY_REPLY* znalezionego przez Jakuba Zawadzkiego. Odpowiednio spreparowany pakiet wysłany przez serwer może spowodować naruszenie ochrony pamięci.


Modified: trunk/src/events.c
===================================================================
--- trunk/src/events.c	2008-10-23 21:47:32 UTC (rev 637)
+++ trunk/src/events.c	2008-10-23 21:50:29 UTC (rev 638)
@@ -722,7 +722,7 @@
 				if (GG_S_D(n->status)) {
 					unsigned char descr_len = *((char*) n + sizeof(struct gg_notify_reply77));
 
-					if (descr_len < length) {
+					if (sizeof(struct gg_notify_reply77) + descr_len <= length) {
 						char *descr;
 
 						if (!(descr = malloc(descr_len + 1))) {
@@ -872,7 +872,7 @@
 				if (GG_S_D(n->status)) {
 					unsigned char descr_len = *((char*) n + sizeof(struct gg_notify_reply60));
 
-					if (descr_len < length) {
+					if (sizeof(struct gg_notify_reply60) + descr_len <= length) {
 						if (!(e->event.notify60[i].descr = malloc(descr_len + 1))) {
 							gg_debug_session(sess, GG_DEBUG_MISC, "// gg_watch_fd_connected() not enough memory for notify data\n");
 							goto fail;

Modified: trunk/test/protocol/tests/10-contacts.scr
===================================================================
--- trunk/test/protocol/tests/10-contacts.scr	2008-10-23 21:47:32 UTC (rev 637)
+++ trunk/test/protocol/tests/10-contacts.scr	2008-10-23 21:50:29 UTC (rev 638)
@@ -570,3 +570,12 @@
 #	notify60[1].uin == 0
 )
 
+#-----------------------------------------------------------------------------
+# Trigger segfault found by Jakub Zawadzki (pre-1.8.2)
+#-----------------------------------------------------------------------------
+
+send (18 00 00 00 1a 00 00 00 01 00 00 00 05 00 00 00 00 00 00 2a 14 00 00 00 00 00 17 00 00 00 1a 00 00 00)
+
+expect event GG_EVENT_NOTIFY60
+
+#-----------------------------------------------------------------------------

More information about the libgadu-commit mailing list