Learn how easy it is to sync an existing GitHub or Google Code repo to a SourceForge project! See Demo


#29 Several SEGV happened to me in parser

core (9)
M. Werner

Hi there, I found several SEGV in parser using file: or pipe: vehicle modules. I (somehow sucessfully) wrote a workaround by checking, whether on the lines past
vehicle_file.c the items array of all items being accessed is valid. I think, that malformed messages from gpspipe lead to SEGV. This is even exploitable for code injection.

vehicle_file_parse(struct vehicle_priv *priv, char *buffer)
char *items[32]
then the string argument is exploded to items. But there is no check behind, that the string contained as many data fields as the specification of the NMEA command needs to have and returns a zero value if not.

My workaround is not stable, somehow GPS now works, but my interfaces freezes somewhere in the ZIP libraries. I dont know (yet) if this is related.

I could clean up my workaround to a patch, if it could be useful. Still note, I have only read the one file vehicle_file.c where gdb showed me the BOF was.

Details, what I really did:
<before I initialized all buffer[i] = NULL>

(here the string is exploeded to the item array
item[i++] = p;
while (*p && *p != ',')
if (!*p)
*p++ = '\0';

#define ASS_ITEMS_VALID(x) {for (l=1; l <= x; l++) if (item[l] == NULL){printf("SEGV workaround is discarding\n");return 0;}}

if (!strncmp(buffer, "$GPGGA", 6)) {
// here I assert, that item 1-9 are valid


lat = g_ascii_strtod(item[2], NULL);
priv->geo.lat = floor(lat / 100);

End of Citation

Here the relevant gdb output

navit:main:Using '/usr/local/share/navit/navit.xml'
vehicle_file:vehicle_file_parse:no leading $ in 'GPSD,R=1'

Program received signal SIGSEGV, Segmentation fault.
[Switching to Thread -1210370368 (LWP 7749)]
0xb73c34c2 in vehicle_file_io (priv=0x825a948) at vehicle_file.c:381
381 if (i == 12 && (*item[12] == 'A' || *item[12] == 'D'))

Still nice piece of software. Lets get it running :-)

Contact: martin ÄT martinwerner <dot> de


  • KaZeR

    • status: open --> closed
  • KaZeR

    We are not monitoring this bug tracker, but instead we are using our own trac, located at http://trac.navit-project.org.
    I'm closing your issue, please reopen on our tracker if you are still facing the issue.
    I hope that you understand that we cannot keep tracks of bugs on both trackers.
    Thanks for your interest!