if anyone else was looking for some of the overflows mentioned in the
rather cryptic advisory, i found one of them in:
/gaim-0.81/src/protocols/msn/slp.c :648 in the function msn_slp_sip_recv(). an
improper use of strncpy().
[---------------------------------------------]
not very interesting for us, but there is a local overflow. it's not stack
based- the buffer is a global so it's somewhere in .bss. that is in:
/gaim-0.81/src/protocols/msn/utils.c :134 in the function encode_spaces(). it
doesn't check the length of the buffer it copies into. unless there is some max
bounds way higher up in the gtk functions that i missed.
[---------------------------------------------]
another local (stack based) overflow in:
/gaim-0.81/src/protocols/msn/utils.c :198 in the function msn_import_html(). it
is not exploitable though. multiple calls to strcat() to a small buffer, but no
control over the data being appended.
[---------------------------------------------]
and there are many many places where the return value of dynamic memory
allocation routines is not tested. actually, to rephrase that, i don't think
there are many places where the return value IS checked. or in some cases
the check is only after the possibly NULL pointer has already been used. on a
similar note, there is little to no checking the return value of all sorts of
other library functions.
rather cryptic advisory, i found one of them in:
/gaim-0.81/src/protocols/msn/slp.c :648 in the function msn_slp_sip_recv(). an
improper use of strncpy().
[---------------------------------------------]
not very interesting for us, but there is a local overflow. it's not stack
based- the buffer is a global so it's somewhere in .bss. that is in:
/gaim-0.81/src/protocols/msn/utils.c :134 in the function encode_spaces(). it
doesn't check the length of the buffer it copies into. unless there is some max
bounds way higher up in the gtk functions that i missed.
[---------------------------------------------]
another local (stack based) overflow in:
/gaim-0.81/src/protocols/msn/utils.c :198 in the function msn_import_html(). it
is not exploitable though. multiple calls to strcat() to a small buffer, but no
control over the data being appended.
[---------------------------------------------]
and there are many many places where the return value of dynamic memory
allocation routines is not tested. actually, to rephrase that, i don't think
there are many places where the return value IS checked. or in some cases
the check is only after the possibly NULL pointer has already been used. on a
similar note, there is little to no checking the return value of all sorts of
other library functions.
--
-sean
[ reply ]