Work at SourceForge, help us to make it a better place! We have an immediate need for a Support Technician in our San Francisco or Denver office.

Close

#32 obexftp buffer overflow?

closed-works-for-me
nobody
None
5
2006-01-11
2005-11-10
Patrik Kullman
No

When connecting to my Sony Ericsson K608i with obexftp
(0.10.8) or obexfs (0.5) over bluetooth, the
application dies if the data to receive is more than or
equal to 1026 bytes.

Command:
strace obexftp -b 00:12:EE:1E:86:B5 -B 7 -l Bilder

Output:
write(2, "Receiving \"Bilder\"... ", 22Receiving
"Bilder"... ) = 22
write(3,
"\203\0002\313\0\0\0\1B\0\31x-obex/folder-listing"...,
50) = 50
select(4, [3], NULL, NULL, {20, 0}) = 1 (in [3],
left {19, 457000})
read(3, "\240\4\5", 3) = 3
read(3, "\313\0\0\0\1I\3\375<?xml version=\"1.0\"
enco"..., 1026) = 326
select(4, [3], NULL, NULL, {20, 0}) = 1 (in [3],
left {19, 993000})
read(3, "ze=\"55602\"/>\r\n<file name=\"Office"...,
700) = 700
open("/dev/tty", O_RDWR|O_NONBLOCK|O_NOCTTY) = 4
writev(4, [{"*** glibc detected *** ", 23}, {"double
free or corruption (!prev"..., 33}, {": 0x", 4},
{"0804d198", 8}, {" ***\n", 5}], 5*** glibc detected
*** double free or corruption (!prev): 0x0804d198 ***
) = 73
rt_sigprocmask(SIG_UNBLOCK, [ABRT], NULL, 8) = 0
gettid() = 22975
tgkill(22975, 22975, SIGABRT) = 0
--- SIGABRT (Aborted) @ 0 (0) ---
+++ killed by SIGABRT +++

Discussion

  • Patrik Kullman
    Patrik Kullman
    2005-11-11

    Logged In: YES
    user_id=897761

    After some further digging, me and my friend located the
    problem in openobex-1.0.1/src/netbuf.c:110, realloc().

    Command:
    MALLOC_CHECK_="1" obexftp -b 00:12:EE:1E:86:B5 -B 7 -l Bilder

    Output:
    Receiving "Bilder"... *** glibc detected *** realloc():
    invalid pointer: 0x0804d188 ***
    failed: Bilder

    Workaround:
    We didn't understand the library at once, had limited time
    and knowledge of C, so the way we went around it was to make
    a new malloc() and memcpy() the contents.
    Don't want to post at patch since it would lead to a memory
    leak.

    Info: openobex 1.0.1, glibc 2.3.5 (Gentoo release 2)

     
  • Logged In: YES
    user_id=136432

    From looking at the code, everything seems to be a ok.
    msg->end points to the location behind the buffer (i.e.
    msg->truesize==1, msg->head points to a single byte, whereas
    msg->end points to msg->head + msg->truesize, that is
    off-by-one). No problem this far. Care is taken when using
    msg->tail, because it points to msg->head initially and
    should only be used if there is still room.
    At l.157 if (msg->tail > msg->end) {realloc} is ok because
    it has been just increased.
    Compare l.274: where tailroom = "msg->end - msg->tail" will
    give the right amount of space before and after the operation.
    Try the code with simple buffer sizes of 1 or so and tell me
    if I'm mistaken, please.

     
    • status: open --> closed-works-for-me
     
  • Patrik Kullman
    Patrik Kullman
    2006-01-11

    Logged In: YES
    user_id=897761

    Seems like problem is fixed!
    All is working splendidly with the following setup:

    app-mobilephone/obexftp-0.18_beta4
    app-mobilephone/obexfs-0.6
    dev-libs/openobex-1.0.1

    Apart from copying many files or files containing () TO the
    mobilephone (K750i).