There is one buffer overflow and one place were the string is truncated in the QRY generation. With the current code, the msn server will disconnect every few minutes because the initial challenge doesn't get a proper response.
Patch attached. -- Roger Oksanen <[EMAIL PROTECTED]> +358 50 355 1990 CS Student at Helsinki University PGP id 1B125A3E Homepage http://www.cs.helsinki.fi/u/raoksane/
Index: plugins/msn/src/msnpacket.cpp
===================================================================
--- plugins/msn/src/msnpacket.cpp (revision 4384)
+++ plugins/msn/src/msnpacket.cpp (working copy)
@@ -440,15 +440,15 @@
CPS_MSNChallenge::CPS_MSNChallenge(const char *szHash) : CMSNPacket()
{
m_szCommand = strdup("QRY");
- char szParams[] = "[EMAIL PROTECTED] 32";
+ char *szParams = "[EMAIL PROTECTED] 32";
m_nSize += strlen(szParams) + 32; //payload
InitBuffer();
- char szSource[64];
+ char szSource[65];
unsigned char szDigest[16];
- char szHexOut[32];
+ char szHexOut[33];
snprintf(szSource, 64, "%sQ1P7W2E4J9R8U3S5", szHash);
- szSource[63] = '\0';
+ szSource[64] = '\0';
MD5((const unsigned char *)szSource, strlen(szSource), szDigest);
for (int i = 0; i < 16; i++)
pgpx1z6JPKYRm.pgp
Description: PGP signature
