Skip to content

Don't allow others to close random tubes

Submitted by Jonny Lamb @jonnylamb

Assigned to Telepathy bugs list

Link to original bug (#52448)

Description

(From bug #32612 comment 6):

+private_tubes_factory_tube_close_cb ( ...

  • if (!tube_msg_checks (self, msg, node, NULL, &tube_id))
  • return FALSE;

Er, this function allows Alice to close tubes between us and Bob, if she can guess or brute-force the tube ID. Pre-existing bug?

  • DEBUG ("tube ID already in use; do not open the offered tube and close "
  • "the existing tube if it's to the same contact");

Not a merge blocker and presumably not your fault, but these semantics are crazy. We should have a separate tube ID "namespace" per peer, and store tubes in the hash table by (handle, id) tuples or something.

Version: git master