NavIt

Hi there, I found several SEGV in parser using file: or pipe: vehicle modules. I (somehow sucessfully) wrote a workaround by checking, whether on the lines past
vehicle_file.c the items array of all items being accessed is valid. I think, that malformed messages from gpspipe lead to SEGV. This is even exploitable for code injection.

vehicle_file_parse(struct vehicle_priv *priv, char *buffer)
char *items[32]
...
then the string argument is exploded to items. But there is no check behind, that the string contained as many data fields as the specification of the NMEA command needs to have and returns a zero value if not.

My workaround is not stable, somehow GPS now works, but my interfaces freezes somewhere in the ZIP libraries. I dont know (yet) if this is related.

I could clean up my workaround to a patch, if it could be useful. Still note, I have only read the one file vehicle_file.c where gdb showed me the BOF was.

Details, what I really did:
excerpt:
<before I initialized all buffer[i] = NULL>

(here the string is exploeded to the item array
item[i++] = p;
while (*p && *p != ',')
p++;
if (!*p)
break;
*p++ = '\0';
}


#define ASS_ITEMS_VALID(x) {for (l=1; l <= x; l++) if (item[l] == NULL){printf("SEGV workaround is discarding\n");return 0;}}



if (!strncmp(buffer, "$GPGGA", 6)) {
// here I assert, that item 1-9 are valid

ASS_ITEMS_VALID(9);

lat = g_ascii_strtod(item[2], NULL);
priv->geo.lat = floor(lat / 100);

End of Citation

Here the relevant gdb output

navit:main:Using '/usr/local/share/navit/navit.xml'
vehicle_file:vehicle_file_parse:no leading $ in 'GPSD,R=1'

Program received signal SIGSEGV, Segmentation fault.
[Switching to Thread -1210370368 (LWP 7749)]
0xb73c34c2 in vehicle_file_io (priv=0x825a948) at vehicle_file.c:381
381 if (i == 12 && (*item[12] == 'A' || *item[12] == 'D'))
(gdb)


Still nice piece of software. Lets get it running :-)

Contact: martin ÄT martinwerner <dot> de