Re: #12562: Pidgin IRC does not handle SSL blocks of > IRC_INITIAL_BUFSIZE correctly

classic Classic list List threaded Threaded
2 messages Options
Reply | Threaded
Open this post in threaded view
|

Re: #12562: Pidgin IRC does not handle SSL blocks of > IRC_INITIAL_BUFSIZE correctly

Pidgin
#12562: Pidgin IRC does not handle SSL blocks of > IRC_INITIAL_BUFSIZE correctly
-------------------------------------------------+------------------
 Reporter:  Stmeter                              |       Owner:  elb
     Type:  defect                               |      Status:  new
Milestone:                                       |   Component:  IRC
  Version:  2.7.3                                |  Resolution:
 Keywords:  SSL inspircd packets gnutls openssl  |
-------------------------------------------------+------------------

Comment (by slingamn):

 I think this problem is localized to the IRC implementation after all. For
 example, the Jabber implementation's callback calls `purple_ssl_read` in
 an internal while loop until no more data can be read; only then does it
 return to the main event loop. I did the same thing for the IRC
 implementation (starting from the 2.12 source):

 https://gist.github.com/slingamn/8b852215272a902618fecead52396be4

 and it appears to fix the bug. (Note that the NSS compatibility layer
 translates NSS's `PR_WOULD_BLOCK_ERROR` into `EAGAIN`, which is how the
 loop will exit in the typical case.)

 Thoughts?

--
Ticket URL: <https://developer.pidgin.im/ticket/12562#comment:3>
Pidgin <https://pidgin.im>
Pidgin
_______________________________________________
Tracker mailing list
[hidden email]
https://pidgin.im/cgi-bin/mailman/listinfo/tracker
Reply | Threaded
Open this post in threaded view
|

Re: #12562: Pidgin IRC does not handle SSL blocks of > IRC_INITIAL_BUFSIZE correctly

Pidgin
#12562: Pidgin IRC does not handle SSL blocks of > IRC_INITIAL_BUFSIZE correctly
-------------------------------------------------+------------------
 Reporter:  Stmeter                              |       Owner:  elb
     Type:  defect                               |      Status:  new
Milestone:                                       |   Component:  IRC
  Version:  2.7.3                                |  Resolution:
 Keywords:  SSL inspircd packets gnutls openssl  |
-------------------------------------------------+------------------

Comment (by slingamn):

 While we're in the neighborhood: here's a patch that fixes the bug, and
 also fixes a DoS attack. Right now, the server can send an arbitrarily
 long stream of unparseable bytes (any byte that's not `0`, `\r`, or `\n`),
 and the parser will keep resizing its buffer upwards and trying to parse
 the data into an valid IRC message. IRC messages can't be longer than 1024
 bytes, so we can just use a constant-sized buffer.

 Gist with a DoS PoC and the path:

 https://gist.github.com/slingamn/28b6e5658c48ead403d903fb3d29dce3

--
Ticket URL: <https://developer.pidgin.im/ticket/12562#comment:4>
Pidgin <https://pidgin.im>
Pidgin
_______________________________________________
Tracker mailing list
[hidden email]
https://pidgin.im/cgi-bin/mailman/listinfo/tracker