BitlBee before 3.5 allows remote attackers to cause a denial of service and possibly execute arbitrary code via a file transfer request for a contact that is not in the contact list.