From: Herman Meerlo <herman@service2media.com>
To: bluez-devel@lists.sourceforge.net
Subject: [Bluez-devel] Segmentation fault hcid in textfile.c
Date: Mon, 03 Apr 2006 08:59:15 +0200 [thread overview]
Message-ID: <4430C7C3.5050205@service2media.com> (raw)
[-- Attachment #1: Type: text/plain, Size: 955 bytes --]
Hi All,
this weekend I have been testing with a directional antenna and
therefore I have seen a lot of bluetooth devices. I have witnessed a
segmentation fault in common/textfile.c twice. After examining the core
file of the hcid I found out where the problem is and I have made a
patch for it.
The problem is that the textfile is mapped into memory with an mmap call
on line 153, but the file I was writing to (once it was the lastseen
file and once the names file) was exactly 8192 bytes. So an exact
multiple of the page size. Therefore there is no terminating NULL
character in the memory map and the find_key call on line 159, which
uses a strstr, will read beyond the boundaries of the memory mapped
segment -> SEGV.
I have made a change to the find_key call and added an extra parameter
to indicate the length of the map. It works fine for me but maybe it is
not an optimal solution. I have attached the patch.
Regards,
Herman Meerlo
[-- Attachment #2: hcid.patch --]
[-- Type: text/plain, Size: 1124 bytes --]
Index: textfile.c
===================================================================
RCS file: /cvsroot/bluez/utils/common/textfile.c,v
retrieving revision 1.16
diff -u -r1.16 textfile.c
--- textfile.c 24 Mar 2006 14:36:28 -0000 1.16
+++ textfile.c 3 Apr 2006 06:58:46 -0000
@@ -86,9 +86,17 @@
return 0;
}
-static inline char *find_key(char *map, const char *key, size_t len)
+static inline char *find_key(char *map, size_t maplen, const char *key, size_t len)
{
- char *off = strstr(map, key);
+ char *off = NULL;
+ int start=0;
+ while (start < (maplen - len)) {
+ if (0 == strncmp(map+start, key, len)) {
+ off = map + start;
+ break;
+ }
+ start++;
+ }
while (off && ((off > map && *(off - 1) != '\r' &&
*(off - 1) != '\n') || *(off + len) != ' '))
@@ -156,7 +164,7 @@
goto unlock;
}
- off = find_key(map, key, strlen(key));
+ off = find_key(map, size, key, strlen(key));
if (!off) {
if (value) {
munmap(map, size);
@@ -265,7 +273,7 @@
}
len = strlen(key);
- off = find_key(map, key, len);
+ off = find_key(map, size, key, len);
if (!off) {
err = EILSEQ;
goto unmap;
next reply other threads:[~2006-04-03 6:59 UTC|newest]
Thread overview: 3+ messages / expand[flat|nested] mbox.gz Atom feed top
2006-04-03 6:59 Herman Meerlo [this message]
2006-04-07 15:14 ` [Bluez-devel] Segmentation fault hcid in textfile.c Marcel Holtmann
2006-04-07 15:17 ` Marcel Holtmann
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=4430C7C3.5050205@service2media.com \
--to=herman@service2media.com \
--cc=bluez-devel@lists.sourceforge.net \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.