Work at SourceForge, help us to make it a better place! We have an immediate need for a Support Technician in our San Francisco or Denver office.

Close

#29 Several SEGV happened to me in parser

closed
nobody
core (9)
5
2009-06-17
2009-02-20
M. Werner
No

Hi there, I found several SEGV in parser using file: or pipe: vehicle modules. I (somehow sucessfully) wrote a workaround by checking, whether on the lines past
vehicle_file.c the items array of all items being accessed is valid. I think, that malformed messages from gpspipe lead to SEGV. This is even exploitable for code injection.

vehicle_file_parse(struct vehicle_priv *priv, char *buffer)
char *items[32]
...
then the string argument is exploded to items. But there is no check behind, that the string contained as many data fields as the specification of the NMEA command needs to have and returns a zero value if not.

My workaround is not stable, somehow GPS now works, but my interfaces freezes somewhere in the ZIP libraries. I dont know (yet) if this is related.

I could clean up my workaround to a patch, if it could be useful. Still note, I have only read the one file vehicle_file.c where gdb showed me the BOF was.

Details, what I really did:
excerpt:
<before I initialized all buffer[i] = NULL>

(here the string is exploeded to the item array
item[i++] = p;
while (*p && *p != ',')
p++;
if (!*p)
break;
*p++ = '\0';
}

#define ASS_ITEMS_VALID(x) {for (l=1; l <= x; l++) if (item[l] == NULL){printf("SEGV workaround is discarding\n");return 0;}}

if (!strncmp(buffer, "$GPGGA", 6)) {
// here I assert, that item 1-9 are valid

ASS_ITEMS_VALID(9);

lat = g_ascii_strtod(item[2], NULL);
priv->geo.lat = floor(lat / 100);

End of Citation

Here the relevant gdb output

navit:main:Using '/usr/local/share/navit/navit.xml'
vehicle_file:vehicle_file_parse:no leading $ in 'GPSD,R=1'

Program received signal SIGSEGV, Segmentation fault.
[Switching to Thread -1210370368 (LWP 7749)]
0xb73c34c2 in vehicle_file_io (priv=0x825a948) at vehicle_file.c:381
381 if (i == 12 && (*item[12] == 'A' || *item[12] == 'D'))
(gdb)

Still nice piece of software. Lets get it running :-)

Contact: martin ÄT martinwerner <dot> de

Discussion

  • KaZeR
    KaZeR
    2009-06-17

    • status: open --> closed
     
  • KaZeR
    KaZeR
    2009-06-17

    We are not monitoring this bug tracker, but instead we are using our own trac, located at http://trac.navit-project.org.
    I'm closing your issue, please reopen on our tracker if you are still facing the issue.
    I hope that you understand that we cannot keep tracks of bugs on both trackers.
    Thanks for your interest!