[telepathy-gabble/master] socks5: reject connection if domain is wrong in CONNECT cmd
Guillaume Desmottes
guillaume.desmottes at collabora.co.uk
Fri Apr 3 09:26:03 PDT 2009
---
src/bytestream-socks5.c | 16 ++++++++++++----
1 files changed, 12 insertions(+), 4 deletions(-)
diff --git a/src/bytestream-socks5.c b/src/bytestream-socks5.c
index 2ab4165..3484a59 100644
--- a/src/bytestream-socks5.c
+++ b/src/bytestream-socks5.c
@@ -640,8 +640,7 @@ check_domain (const gchar *domain,
{
if (len != SHA1_LENGTH || strncmp (domain, expected, SHA1_LENGTH) != 0)
{
- DEBUG ("Wrong domain hash: %s (expected: %s). Ignoring to interop "
- "with buggy implementations", domain, expected);
+ DEBUG ("Wrong domain hash: %s (expected: %s)", domain, expected);
return FALSE;
}
@@ -739,7 +738,11 @@ socks5_handle_received_data (GabbleBytestreamSocks5 *self,
domain = compute_domain(priv->stream_id, priv->self_full_jid,
priv->peer_jid);
- check_domain (&string->str[5], domain_len, domain);
+ if (!check_domain (&string->str[5], domain_len, domain))
+ {
+ /* Thanks Pidgin... */
+ DEBUG ("Ignoring to interop with buggy implementations");
+ }
DEBUG ("Received CONNECT reply. Socks5 stream connected. "
"Bytestream is now open");
@@ -854,7 +857,12 @@ socks5_handle_received_data (GabbleBytestreamSocks5 *self,
domain = compute_domain(priv->stream_id, priv->self_full_jid,
priv->peer_jid);
- check_domain (&string->str[5], domain_len, domain);
+ if (!check_domain (&string->str[5], domain_len, domain))
+ {
+ DEBUG ("Reject connection to prevent spoofing");
+ socks5_error (self);
+ return string->len;
+ }
msg[0] = SOCKS5_VERSION;
msg[1] = SOCKS5_STATUS_OK;
--
1.5.6.5
More information about the telepathy-commits
mailing list