<<< Date Index >>>     <<< Thread Index >>>

recent gaim advisory



if anyone else was looking for some of the overflows mentioned in the
rather cryptic advisory, i found one of them in:

/gaim-0.81/src/protocols/msn/slp.c :648 in the function msn_slp_sip_recv().  an
improper use of strncpy().  

[---------------------------------------------]

not very interesting for us, but there is a local overflow.  it's not stack
based- the buffer is a global so it's somewhere in .bss.  that is in:

/gaim-0.81/src/protocols/msn/utils.c :134 in the function encode_spaces(). it
doesn't check the length of the buffer it copies into.  unless there is some max
bounds way higher up in the gtk functions that i missed.

[---------------------------------------------]

another local (stack based) overflow in:

/gaim-0.81/src/protocols/msn/utils.c :198 in the function msn_import_html(). it
is not exploitable though.  multiple calls to strcat() to a small buffer, but no
control over the data being appended.

[---------------------------------------------]


and there are many many places where the return value of dynamic memory
allocation routines is not tested. actually, to rephrase that, i don't think
there are many places where the return value IS checked.  or in some cases
the check is only after the possibly NULL pointer has already been used.  on a
similar note, there is little to no checking the return value of all sorts of
other library functions.

-- 
-sean