diff options
| author | dequis <dx@dxzone.com.ar> | 2015-05-07 23:02:14 -0300 |
|---|---|---|
| committer | dequis <dx@dxzone.com.ar> | 2015-05-07 23:02:14 -0300 |
| commit | 088b07018963158ca822a289f4db7085454f9713 (patch) | |
| tree | 28179cd79c37e1ca85c40c31a0a8ec3ae6652438 | |
| parent | 5535a47f4c2b9def68356d1ced9a149a7197f32c (diff) | |
msn: fix use-after-free when the server sends OUT
Also fix a leak in msn_ns_callback while i'm at it.
Also fix a potential null deref when req->reply_body is null and
BITLBEE_DEBUG is enabled, but i don't even know if this one can happen.
| -rw-r--r-- | protocols/msn/gw.c | 15 | ||||
| -rw-r--r-- | protocols/msn/ns.c | 7 |
2 files changed, 11 insertions, 11 deletions
diff --git a/protocols/msn/gw.c b/protocols/msn/gw.c index 60514139..5f285f8d 100644 --- a/protocols/msn/gw.c +++ b/protocols/msn/gw.c @@ -86,16 +86,16 @@ void msn_gw_callback(struct http_request *req) gw->waiting = FALSE; gw->polling = FALSE; + if (req->status_code != 200 || !req->reply_body) { + gw->callback(gw->md, -1, B_EV_IO_READ); + return; + } + if (getenv("BITLBEE_DEBUG")) { fprintf(stderr, "\n\x1b[90mHTTP:%s\n", req->reply_body); fprintf(stderr, "\n\x1b[97m\n"); } - if (req->status_code != 200) { - gw->callback(gw->md, -1, B_EV_IO_READ); - return; - } - if ((value = get_rfc822_header(req->reply_headers, "X-MSN-Messenger", 0))) { if (!msn_gw_parse_session_header(gw, value)) { gw->callback(gw->md, -1, B_EV_IO_READ); @@ -112,7 +112,10 @@ void msn_gw_callback(struct http_request *req) if (req->body_size) { g_byte_array_append(gw->in, (const guint8 *) req->reply_body, req->body_size); - gw->callback(gw->md, -1, B_EV_IO_READ); + + if (!gw->callback(gw->md, -1, B_EV_IO_READ)) { + return; + } } if (gw->poll_timeout != -1) { diff --git a/protocols/msn/ns.c b/protocols/msn/ns.c index 0011d7e7..0aab149d 100644 --- a/protocols/msn/ns.c +++ b/protocols/msn/ns.c @@ -180,6 +180,7 @@ static gboolean msn_ns_callback(gpointer data, gint source, b_input_condition co if (st <= 0) { imcb_error(ic, "Error while reading from server"); imc_logout(ic, TRUE); + g_free(bytes); return FALSE; } @@ -187,11 +188,7 @@ static gboolean msn_ns_callback(gpointer data, gint source, b_input_condition co g_free(bytes); - /* Ignore ret == 0, it's already disconnected then. */ - msn_handler(md); - - return TRUE; - + return msn_handler(md); } int msn_ns_command(struct msn_data *md, char **cmd, int num_parts) |