gaim -- MSN denial-of-service vulnerabilities

ID F2D6A5E1-26B9-11D9-9289-000C41E2CDAD
Type freebsd
Reporter FreeBSD
Modified 2004-10-19T00:00:00


The Gaim team discovered denial-of-service vulnerabilities in the MSN protocol handler:

After accepting a file transfer request, Gaim will attempt to allocate a buffer of a size equal to the entire filesize, this allocation attempt will cause Gaim to crash if the size exceeds the amount of available memory.

Gaim allocates a buffer for the payload of each message received based on the size field in the header of the message. A malicious peer could specify an invalid size that exceeds the amount of available memory.