diff options
| author | Daniel Atallah <datallah@pidgin.im> | 2016-10-20 18:20:44 -0400 |
|---|---|---|
| committer | Daniel Atallah <datallah@pidgin.im> | 2016-10-20 18:20:44 -0400 |
| commit | a9b2c489279ea73a5d255142235c5b1cb0519c39 (patch) | |
| tree | bfed6ad4d17e2bf976f5ae81ab85dd6f7e143ba9 | |
| parent | 865424221991859c87d4ca4741b944bf764c061b (diff) | |
| download | pidgin-a9b2c489279ea73a5d255142235c5b1cb0519c39.tar.gz | |
win32: add some sanity checks to avoid infinite loops or large memory allocations when retrieving NLA responses
| -rw-r--r-- | libpurple/network.c | 16 |
1 files changed, 14 insertions, 2 deletions
diff --git a/libpurple/network.c b/libpurple/network.c index 671337513a..85f0d6a802 100644 --- a/libpurple/network.c +++ b/libpurple/network.c @@ -639,7 +639,8 @@ wpurple_get_connected_network_count(void) gchar *buf = NULL; WSAQUERYSET *res = (LPWSAQUERYSET) buf; DWORD current_size = 0; - while (TRUE) { + int iteration_count = 0; + while (iteration_count++ < 100) { DWORD size = current_size; retval = WSALookupServiceNextA(h, 0, &size, res); if (retval == ERROR_SUCCESS) { @@ -649,6 +650,10 @@ wpurple_get_connected_network_count(void) } else { errorid = WSAGetLastError(); if (errorid == WSAEFAULT) { + if (size == 0 || size > 102400) { + purple_debug_warning("network", "Got unexpected NLA buffer size %" G_GUINT32_FORMAT ".\n", (guint32) size); + break; + } buf = g_realloc(buf, size); res = (LPWSAQUERYSET) buf; current_size = size; @@ -729,6 +734,7 @@ static gpointer wpurple_network_change_thread(gpointer data) while (TRUE) { int retval; + int iteration_count; DWORD retLen = 0; WSACOMPLETION completion; WSAOVERLAPPED overlapped; @@ -806,7 +812,8 @@ static gpointer wpurple_network_change_thread(gpointer data) return NULL; } - while (TRUE) { + iteration_count = 0; + while (iteration_count++ < 100) { DWORD size = current_size; retval = WSALookupServiceNextA(network_change_handle, 0, &size, res); if (retval == ERROR_SUCCESS) { @@ -816,6 +823,11 @@ static gpointer wpurple_network_change_thread(gpointer data) } else { int errorid = WSAGetLastError(); if (errorid == WSAEFAULT) { + if (size == 0 || size > 102400) { + purple_timeout_add(0, _print_debug_msg, + g_strdup_printf("Thread got unexpected NLA buffer size %" G_GUINT32_FORMAT ".\n", (guint32) size)); + break; + } buf = g_realloc(buf, size); res = (LPWSAQUERYSET) buf; current_size = size; |