From: Andreas WESTIN <andreas.westin@stericsson.com>
To: ofono@ofono.org
Subject: Re: [PATCH 1/1] src: out of bounds problem in smsutil
Date: Wed, 16 Feb 2011 16:50:18 +0100 [thread overview]
Message-ID: <4D5BF23A.4080308@stericsson.com> (raw)
In-Reply-To: <4D5BEC5C.3000207@gmail.com>
[-- Attachment #1: Type: text/plain, Size: 4540 bytes --]
On 2011-02-16 16:25, Denis Kenzior wrote:
> Hi Jessica,
>
> On 02/16/2011 06:04 AM, Jessica Nilsson wrote:
>> ---
>>
>> This one was exposed when wgmodem2.5 CBS was run with valgrind.
>>
>> Best Regards,
>> Jessica Nilsson
>>
>
> Can you post the actual error and the data this happened on?
>
>> src/smsutil.c | 2 +-
>> 1 files changed, 1 insertions(+), 1 deletions(-)
>>
>> diff --git a/src/smsutil.c b/src/smsutil.c
>> index 5524932..b3a1ba1 100644
>> --- a/src/smsutil.c
>> +++ b/src/smsutil.c
>> @@ -4628,7 +4628,7 @@ char *cbs_topic_ranges_to_string(GSList *ranges)
>> }
>>
>> /* Space for ranges, commas and terminator null */
>> - ret = g_new(char, len + nelem);
>> + ret = g_new0(char, len + nelem + 1);
>
> I'm having trouble seeing how the old code was wrong. nelem contains
> the number of elements. Since the last element does not end with a
> comma, the use of nelem + 1 in g_new is not necessary. sprintf takes
> care of adding the terminating null, so using g_new0 is also less efficient.
>
> Are you adding channels that are 5 digits long by any chance?
Valgrind complains that we step outside the allocated memory by 1 byte
since we loop the string with:
while (*topics != '\0')
the allocated memory is the size of the string and any \0 ends up
outside. At least that's my interpretation.
I saw it in isimodem/cbs.c in the patches sent in.
This is the output from valgrind:
==2450== Invalid read of size 1
==2450== at 0x3427C: get_topics_len (cbs.c:112)
==2450== by 0x347CF: isi_set_topics (cbs.c:223)
==2450== by 0xE6343: cbs_set_powered (cbs.c:466)
==2450== by 0xE6E4B: cbs_got_file_contents (cbs.c:752)
==2450== by 0xE74BF: sim_cbmid_read_cb (cbs.c:889)
==2450== by 0x103017: sim_fs_op_read_block_cb (simfs.c:388)
==2450== by 0x375C3: isi_read_file_transparent_resp (sim.c:1013)
==2450== by 0x19B5B: pending_remove_and_dispatch (modem.c:171)
==2450== by 0x19C87: service_dispatch (modem.c:218)
==2450== by 0x1A0D7: isi_callback (modem.c:334)
==2450== by 0x48D1A4B: g_io_unix_dispatch (giounix.c:162)
==2450== by 0x4898117: g_main_context_dispatch (gmain.c:1960)
==2450== Address 0x4c031b2 is 0 bytes after a block of size 10 alloc'd
==2450== at 0x4833F58: malloc (vg_replace_malloc.c:236)
==2450== by 0x48D614F: g_malloc (gmem.c:132)
==2450== by 0xCE887: cbs_topic_ranges_to_string (smsutil.c:4631)
==2450== by 0xE5DC7: cbs_topics_to_str (cbs.c:329)
==2450== by 0xE631F: cbs_set_powered (cbs.c:465)
==2450== by 0xE6E4B: cbs_got_file_contents (cbs.c:752)
==2450== by 0xE74BF: sim_cbmid_read_cb (cbs.c:889)
==2450== by 0x103017: sim_fs_op_read_block_cb (simfs.c:388)
==2450== by 0x375C3: isi_read_file_transparent_resp (sim.c:1013)
==2450== by 0x19B5B: pending_remove_and_dispatch (modem.c:171)
==2450== by 0x19C87: service_dispatch (modem.c:218)
==2450== by 0x1A0D7: isi_callback (modem.c:334)
==2450==
==2450== Invalid read of size 1
==2450== at 0x34588: parse_topics (cbs.c:153)
==2450== by 0x34957: isi_set_topics (cbs.c:257)
==2450== by 0xE6343: cbs_set_powered (cbs.c:466)
==2450== by 0xE6E4B: cbs_got_file_contents (cbs.c:752)
==2450== by 0xE74BF: sim_cbmid_read_cb (cbs.c:889)
==2450== by 0x103017: sim_fs_op_read_block_cb (simfs.c:388)
==2450== by 0x375C3: isi_read_file_transparent_resp (sim.c:1013)
==2450== by 0x19B5B: pending_remove_and_dispatch (modem.c:171)
==2450== by 0x19C87: service_dispatch (modem.c:218)
==2450== by 0x1A0D7: isi_callback (modem.c:334)
==2450== by 0x48D1A4B: g_io_unix_dispatch (giounix.c:162)
==2450== by 0x4898117: g_main_context_dispatch (gmain.c:1960)
==2450== Address 0x4c031b2 is 0 bytes after a block of size 10 alloc'd
==2450== at 0x4833F58: malloc (vg_replace_malloc.c:236)
==2450== by 0x48D614F: g_malloc (gmem.c:132)
==2450== by 0xCE887: cbs_topic_ranges_to_string (smsutil.c:4631)
==2450== by 0xE5DC7: cbs_topics_to_str (cbs.c:329)
==2450== by 0xE631F: cbs_set_powered (cbs.c:465)
==2450== by 0xE6E4B: cbs_got_file_contents (cbs.c:752)
==2450== by 0xE74BF: sim_cbmid_read_cb (cbs.c:889)
==2450== by 0x103017: sim_fs_op_read_block_cb (simfs.c:388)
==2450== by 0x375C3: isi_read_file_transparent_resp (sim.c:1013)
==2450== by 0x19B5B: pending_remove_and_dispatch (modem.c:171)
==2450== by 0x19C87: service_dispatch (modem.c:218)
==2450== by 0x1A0D7: isi_callback (modem.c:334)
Regards
Andreas
next prev parent reply other threads:[~2011-02-16 15:50 UTC|newest]
Thread overview: 5+ messages / expand[flat|nested] mbox.gz Atom feed top
2011-02-16 12:04 [PATCH 1/1] src: out of bounds problem in smsutil Jessica Nilsson
2011-02-16 15:25 ` Denis Kenzior
2011-02-16 15:50 ` Andreas WESTIN [this message]
2011-02-16 16:02 ` Denis Kenzior
2011-02-16 16:13 ` Andreas WESTIN
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=4D5BF23A.4080308@stericsson.com \
--to=andreas.westin@stericsson.com \
--cc=ofono@ofono.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox