* [Bluez-devel] Segmentation fault hcid in textfile.c
@ 2006-04-03 6:59 Herman Meerlo
2006-04-07 15:14 ` Marcel Holtmann
2006-04-07 15:17 ` Marcel Holtmann
0 siblings, 2 replies; 3+ messages in thread
From: Herman Meerlo @ 2006-04-03 6:59 UTC (permalink / raw)
To: bluez-devel
[-- Attachment #1: Type: text/plain, Size: 955 bytes --]
Hi All,
this weekend I have been testing with a directional antenna and
therefore I have seen a lot of bluetooth devices. I have witnessed a
segmentation fault in common/textfile.c twice. After examining the core
file of the hcid I found out where the problem is and I have made a
patch for it.
The problem is that the textfile is mapped into memory with an mmap call
on line 153, but the file I was writing to (once it was the lastseen
file and once the names file) was exactly 8192 bytes. So an exact
multiple of the page size. Therefore there is no terminating NULL
character in the memory map and the find_key call on line 159, which
uses a strstr, will read beyond the boundaries of the memory mapped
segment -> SEGV.
I have made a change to the find_key call and added an extra parameter
to indicate the length of the map. It works fine for me but maybe it is
not an optimal solution. I have attached the patch.
Regards,
Herman Meerlo
[-- Attachment #2: hcid.patch --]
[-- Type: text/plain, Size: 1124 bytes --]
Index: textfile.c
===================================================================
RCS file: /cvsroot/bluez/utils/common/textfile.c,v
retrieving revision 1.16
diff -u -r1.16 textfile.c
--- textfile.c 24 Mar 2006 14:36:28 -0000 1.16
+++ textfile.c 3 Apr 2006 06:58:46 -0000
@@ -86,9 +86,17 @@
return 0;
}
-static inline char *find_key(char *map, const char *key, size_t len)
+static inline char *find_key(char *map, size_t maplen, const char *key, size_t len)
{
- char *off = strstr(map, key);
+ char *off = NULL;
+ int start=0;
+ while (start < (maplen - len)) {
+ if (0 == strncmp(map+start, key, len)) {
+ off = map + start;
+ break;
+ }
+ start++;
+ }
while (off && ((off > map && *(off - 1) != '\r' &&
*(off - 1) != '\n') || *(off + len) != ' '))
@@ -156,7 +164,7 @@
goto unlock;
}
- off = find_key(map, key, strlen(key));
+ off = find_key(map, size, key, strlen(key));
if (!off) {
if (value) {
munmap(map, size);
@@ -265,7 +273,7 @@
}
len = strlen(key);
- off = find_key(map, key, len);
+ off = find_key(map, size, key, len);
if (!off) {
err = EILSEQ;
goto unmap;
^ permalink raw reply [flat|nested] 3+ messages in thread
* Re: [Bluez-devel] Segmentation fault hcid in textfile.c
2006-04-03 6:59 [Bluez-devel] Segmentation fault hcid in textfile.c Herman Meerlo
@ 2006-04-07 15:14 ` Marcel Holtmann
2006-04-07 15:17 ` Marcel Holtmann
1 sibling, 0 replies; 3+ messages in thread
From: Marcel Holtmann @ 2006-04-07 15:14 UTC (permalink / raw)
To: bluez-devel
On Mon, 2006-04-03 at 08:59 +0200, Herman Meerlo wrote:
-------------------------------------------------------
This SF.Net email is sponsored by xPML, a groundbreaking scripting language
that extends applications into web and mobile media. Attend the live webcast
and join the prime developer group breaking into this new coding territory!
http://sel.as-us.falkag.net/sel?cmd=lnk&kid=110944&bid=241720&dat=121642
_______________________________________________
Bluez-devel mailing list
Bluez-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/bluez-devel
^ permalink raw reply [flat|nested] 3+ messages in thread
* Re: [Bluez-devel] Segmentation fault hcid in textfile.c
2006-04-03 6:59 [Bluez-devel] Segmentation fault hcid in textfile.c Herman Meerlo
2006-04-07 15:14 ` Marcel Holtmann
@ 2006-04-07 15:17 ` Marcel Holtmann
1 sibling, 0 replies; 3+ messages in thread
From: Marcel Holtmann @ 2006-04-07 15:17 UTC (permalink / raw)
To: bluez-devel
Hi Herman,
> this weekend I have been testing with a directional antenna and
> therefore I have seen a lot of bluetooth devices. I have witnessed a
> segmentation fault in common/textfile.c twice. After examining the core
> file of the hcid I found out where the problem is and I have made a
> patch for it.
> The problem is that the textfile is mapped into memory with an mmap call
> on line 153, but the file I was writing to (once it was the lastseen
> file and once the names file) was exactly 8192 bytes. So an exact
> multiple of the page size. Therefore there is no terminating NULL
> character in the memory map and the find_key call on line 159, which
> uses a strstr, will read beyond the boundaries of the memory mapped
> segment -> SEGV.
> I have made a change to the find_key call and added an extra parameter
> to indicate the length of the map. It works fine for me but maybe it is
> not an optimal solution. I have attached the patch.
can you verify that the latest CVS version still segfaults and please
redo the patch against this version and use our coding style.
> + int start=0;
Must be "int start = 0"
> + if (0 == strncmp(map+start, key, len)) {
Must be "if (!strcmp(...)) {"
Regards
Marcel
-------------------------------------------------------
This SF.Net email is sponsored by xPML, a groundbreaking scripting language
that extends applications into web and mobile media. Attend the live webcast
and join the prime developer group breaking into this new coding territory!
http://sel.as-us.falkag.net/sel?cmd=lnk&kid=110944&bid=241720&dat=121642
_______________________________________________
Bluez-devel mailing list
Bluez-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/bluez-devel
^ permalink raw reply [flat|nested] 3+ messages in thread
end of thread, other threads:[~2006-04-07 15:17 UTC | newest]
Thread overview: 3+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2006-04-03 6:59 [Bluez-devel] Segmentation fault hcid in textfile.c Herman Meerlo
2006-04-07 15:14 ` Marcel Holtmann
2006-04-07 15:17 ` Marcel Holtmann
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).