Bug 186779 - pilot-xfer crashes with buffer overflow on missing device node
pilot-xfer crashes with buffer overflow on missing device node
Status: CLOSED ERRATA
Product: Fedora
Classification: Fedora
Component: pilot-link (Show other bugs)
5
All Linux
medium Severity medium
: ---
: ---
Assigned To: Ngo Than
:
: 184399 186684 (view as bug list)
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2006-03-26 07:35 EST by Nigel Metheringham
Modified: 2007-11-30 17:11 EST (History)
5 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2006-04-14 12:17:29 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:


Attachments (Terms of Use)
Patch to fix realpath problem (709 bytes, patch)
2006-03-26 07:35 EST, Nigel Metheringham
no flags Details | Diff

  None (edit)
Description Nigel Metheringham 2006-03-26 07:35:03 EST
Description of problem:
pilot-xfer bombs out if the sync device node does not exist when it is launched.
 This can kill off higher level applications like gnome-pilot or kpilot

Version-Release number of selected component (if applicable):
pilot-link-0.12.0-0.pre4.5.2.1

How reproducible:
Oh yes!

Steps to Reproduce:
1. pilot-xfer -p /tmp/non-existing-file -l

  
Actual results:
Buffer overflow traceback

Expected results:
Standard error message

Additional info:
This is down to the realpath call in libpisock/serial.c
The FORTIFY_SOURCE magic makes it explode if passed a defined buffer as the
second parameter.

Linux only fix patch attached.
This is probably not suitable as the real fix since it depends on a GNU specific
behaviour of realpath() - then again the bug is a linux specific bounds checking
one.  Hence the pilot-link folks - who will want more portability than "linux
only" will probably want to fix this by dealing more appropriately with realpath()
Comment 1 Nigel Metheringham 2006-03-26 07:35:03 EST
Created attachment 126769 [details]
Patch to fix realpath problem
Comment 2 Nigel Metheringham 2006-03-26 07:41:13 EST
See also Bug #185562 
Upstream info at http://bugs.pilot-link.org/1591
Comment 3 Pawel Salek 2006-03-31 18:17:04 EST
All applications that use pilot link lib crash likely in this or similar prace.
I have reproduced the problem using jpilot and evolution.
Comment 4 Frank Ch. Eigler 2006-04-03 22:20:39 EDT
*** Bug 184399 has been marked as a duplicate of this bug. ***
Comment 5 David Kaplan 2006-04-07 14:40:09 EDT
I am trying to sync my palm with evolution and it fails with the following
messages appearing in dmesg:

usb 4-3.2: new full speed USB device using ehci_hcd and address 26
usb 4-3.2: device descriptor read/64, error -110
usb 4-3.2: device descriptor read/64, error -110
usb 4-3.2: new full speed USB device using ehci_hcd and address 27
usb 4-3.2: device descriptor read/64, error -110
usb 4-3.2: device descriptor read/64, error -110
usb 4-3.2: new full speed USB device using ehci_hcd and address 28
usb 4-3.2: device not accepting address 28, error -110
usb 4-3.2: new full speed USB device using ehci_hcd and address 29
usb 4-3.2: device not accepting address 29, error -110

Is this the same bug or something else?
Comment 6 Nigel Metheringham 2006-04-09 10:54:52 EDT
(In reply to comment #5)
> I am trying to sync my palm with evolution and it fails with the following
> messages appearing in dmesg:
[...]
> Is this the same bug or something else?

Something different.  I would suspect a hardware fault.
Comment 7 Andrea Dell'Amico 2006-04-13 21:07:25 EDT
It crashes for me too. I'm using pilot-link 0.11.8-12.2.fc5 from
updates-testing, the stack trace is:

*** buffer overflow detected ***: /usr/bin/pilot-xfer terminated
======= Backtrace: =========
/lib/libc.so.6(__chk_fail+0x41)[0xce3965]
/lib/libc.so.6(__ptsname_r_chk+0x0)[0xce3fa8]
/usr/lib/libpisock.so.8(pilot_connect+0x11c)[0x66ebdc]
/usr/bin/pilot-xfer[0x80498be]
/usr/bin/pilot-xfer[0x8049a15]
/usr/bin/pilot-xfer[0x804a833]
/lib/libc.so.6(__libc_start_main+0xdc)[0xc1d7e4]
/usr/bin/pilot-xfer[0x8049431]
======= Memory map: ========
00668000-0068c000 r-xp 00000000 fd:00 1604705    /usr/lib/libpisock.so.8.0.5
0068c000-00690000 rwxp 00023000 fd:00 1604705    /usr/lib/libpisock.so.8.0.5
00863000-008a3000 r-xp 00000000 fd:00 1595303    /usr/lib/libncurses.so.5.5
008a3000-008ab000 rwxp 00040000 fd:00 1595303    /usr/lib/libncurses.so.5.5
008ab000-008ac000 rwxp 008ab000 00:00 0
00bea000-00beb000 r-xp 00bea000 00:00 0          [vdso]
00beb000-00c04000 r-xp 00000000 fd:00 519231     /lib/ld-2.4.so
00c04000-00c05000 r-xp 00018000 fd:00 519231     /lib/ld-2.4.so
00c05000-00c06000 rwxp 00019000 fd:00 519231     /lib/ld-2.4.so
00c08000-00d34000 r-xp 00000000 fd:00 521764     /lib/libc-2.4.so
00d34000-00d37000 r-xp 0012b000 fd:00 521764     /lib/libc-2.4.so
00d37000-00d38000 rwxp 0012e000 fd:00 521764     /lib/libc-2.4.so
00d38000-00d3b000 rwxp 00d38000 00:00 0
00d64000-00d66000 r-xp 00000000 fd:00 521766     /lib/libdl-2.4.so
00d66000-00d67000 r-xp 00001000 fd:00 521766     /lib/libdl-2.4.so
00d67000-00d68000 rwxp 00002000 fd:00 521766     /lib/libdl-2.4.so
00d92000-00dbe000 r-xp 00000000 fd:00 1601968    /usr/lib/libreadline.so.5.0
00dbe000-00dc2000 rwxp 0002c000 fd:00 1601968    /usr/lib/libreadline.so.5.0
00dc2000-00dc3000 rwxp 00dc2000 00:00 0
07ea2000-07ead000 r-xp 00000000 fd:00 521768     /lib/libgcc_s-4.1.0-20060304.so.1
07ead000-07eae000 rwxp 0000a000 fd:00 521768     /lib/libgcc_s-4.1.0-20060304.so.1
08048000-0804d000 r-xp 00000000 fd:00 1604694    /usr/bin/pilot-xfer
0804d000-0804e000 rw-p 00005000 fd:00 1604694    /usr/bin/pilot-xfer
097ec000-0980d000 rw-p 097ec000 00:00 0          [heap]
b7f49000-b7f4b000 rw-p b7f49000 00:00 0
b7f62000-b7f63000 rw-p b7f62000 00:00 0
bf84c000-bf862000 rw-p bf84c000 00:00 0          [stack]
Aborted
Comment 8 Ngo Than 2006-04-14 12:17:29 EDT
it's now fixed in 0.11.8-12.3.fc5. It will be available in fc5-update-testing
soon. Many thanks for your report.
Comment 9 Frank Ch. Eigler 2006-04-21 14:10:54 EDT
*** Bug 186684 has been marked as a duplicate of this bug. ***

Note You need to log in before you can comment on or make changes to this bug.