Bug#894724: ncmpc: Crash in chat screen when another client sends a long line

Tue, 03 Apr 2018 07:51:51 -0700 

Package: ncmpc
Version: 0.27-1
Severity: normal
Tags: patch security

Hi,

Ncmpc can be crashed when the user uses the chat screen and another
client sends a long chat message, due to a NULL pointer dereference.

I have a patch that fixes this for v0.27 (currently in Debian) and v0.29
(newest upstream release). The bug is fixed in upstream's master branch.

I tagged this report as "security"-related, because the client can be
crashed by the actions of another client, but I don't think this allows
anything more serious than a NULL pointer derefence (probably no RCE).

-- System Information:
Debian Release: buster/sid
  APT prefers testing
  APT policy: (500, 'testing'), (500, 'stable')
Architecture: amd64 (x86_64)
Foreign Architectures: i386, mips, armhf, armel

Kernel: Linux 4.15.0-1-amd64 (SMP w/2 CPU cores)
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8), 
LANGUAGE=en_US:en (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Init: systemd (via /run/systemd/system)
LSM: AppArmor: enabled

Versions of packages ncmpc depends on:
ii  libc6            2.27-2
ii  libglib2.0-0     2.56.0-4
ii  liblirc-client0  0.10.0-2+b1
ii  libmpdclient2    2.11-1
ii  libncursesw5     6.1-1
ii  libtinfo5        6.1-1

ncmpc recommends no packages.

Versions of packages ncmpc suggests:
ii  mpd           0.20.18-1
pn  ncmpc-lyrics  <none>

-- no debconf information

commit 5f67215970ca89dd6940954e23854cb081e28227
Author: Jonathan Neuschäfer <j.neuschae...@gmx.net>
Date:   Tue Apr 3 16:35:49 2018 +0200

    screen_char: Fix NULL dereference on long messages
    
    Currently, this script could crash ncmpc when the chat screen is open:
    
        #!/usr/bin/python3
        import socket, sys
        host = 'localhost'
        if len(sys.argv) > 1: host = sys.argv[1]
        s = socket.socket()
        s.connect((host, 6600))
        s.send(b'sendmessage chat "Short message"\n')
        s.send(b'sendmessage chat "l%sng message"\n' % (b'o' * 0x1f00))
    
    This happens when screen_chat_update receives a message is received
    that's deemed too long by libmpdclient ("Response line too large" is
    shown in the status line), and screen_chat_update calls
    mpdclient_finish_command, which calls mpd_response_finish without
    checking c->connection for NULL.
    
    Check c->connection for NULL in mpdclient_finish to at least prevent the
    crash. Showing the "Response line too large" when another client sends a
    too long line is still not ideal.

diff --git a/src/mpdclient.h b/src/mpdclient.h
index 1d3b6e0..bd84921 100644
--- a/src/mpdclient.h
+++ b/src/mpdclient.h
@@ -114,6 +114,9 @@ mpdclient_handle_error(struct mpdclient *c);
 static inline bool
 mpdclient_finish_command(struct mpdclient *c)
 {
+       if (!c->connection)
+               return false;
+
        return mpd_response_finish(c->connection)
                ? true : mpdclient_handle_error(c);
 }

Reply via email to