Bug 186779 - pilot-xfer crashes with buffer overflow on missing device node
Summary: pilot-xfer crashes with buffer overflow on missing device node
Status: CLOSED ERRATA
Alias: None
Product: Fedora
Classification: Fedora
Component: pilot-link
Version: 5
Hardware: All
OS: Linux
medium
medium
Target Milestone: ---
Assignee: Ngo Than
QA Contact:
URL:
Whiteboard:
Keywords:
: 184399 186684 (view as bug list)
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2006-03-26 12:35 UTC by Nigel Metheringham
Modified: 2007-11-30 22:11 UTC (History)
5 users (show)

(edit)
Clone Of:
(edit)
Last Closed: 2006-04-14 16:17:29 UTC


Attachments (Terms of Use)
Patch to fix realpath problem (709 bytes, patch)
2006-03-26 12:35 UTC, Nigel Metheringham
no flags Details | Diff

Description Nigel Metheringham 2006-03-26 12:35:03 UTC
Description of problem:
pilot-xfer bombs out if the sync device node does not exist when it is launched.
 This can kill off higher level applications like gnome-pilot or kpilot

Version-Release number of selected component (if applicable):
pilot-link-0.12.0-0.pre4.5.2.1

How reproducible:
Oh yes!

Steps to Reproduce:
1. pilot-xfer -p /tmp/non-existing-file -l

  
Actual results:
Buffer overflow traceback

Expected results:
Standard error message

Additional info:
This is down to the realpath call in libpisock/serial.c
The FORTIFY_SOURCE magic makes it explode if passed a defined buffer as the
second parameter.

Linux only fix patch attached.
This is probably not suitable as the real fix since it depends on a GNU specific
behaviour of realpath() - then again the bug is a linux specific bounds checking
one.  Hence the pilot-link folks - who will want more portability than "linux
only" will probably want to fix this by dealing more appropriately with realpath()

Comment 1 Nigel Metheringham 2006-03-26 12:35:03 UTC
Created attachment 126769 [details]
Patch to fix realpath problem

Comment 2 Nigel Metheringham 2006-03-26 12:41:13 UTC
See also Bug #185562 
Upstream info at http://bugs.pilot-link.org/1591


Comment 3 Pawel Salek 2006-03-31 23:17:04 UTC
All applications that use pilot link lib crash likely in this or similar prace.
I have reproduced the problem using jpilot and evolution.

Comment 4 Frank Ch. Eigler 2006-04-04 02:20:39 UTC
*** Bug 184399 has been marked as a duplicate of this bug. ***

Comment 5 David Kaplan 2006-04-07 18:40:09 UTC
I am trying to sync my palm with evolution and it fails with the following
messages appearing in dmesg:

usb 4-3.2: new full speed USB device using ehci_hcd and address 26
usb 4-3.2: device descriptor read/64, error -110
usb 4-3.2: device descriptor read/64, error -110
usb 4-3.2: new full speed USB device using ehci_hcd and address 27
usb 4-3.2: device descriptor read/64, error -110
usb 4-3.2: device descriptor read/64, error -110
usb 4-3.2: new full speed USB device using ehci_hcd and address 28
usb 4-3.2: device not accepting address 28, error -110
usb 4-3.2: new full speed USB device using ehci_hcd and address 29
usb 4-3.2: device not accepting address 29, error -110

Is this the same bug or something else?


Comment 6 Nigel Metheringham 2006-04-09 14:54:52 UTC
(In reply to comment #5)
> I am trying to sync my palm with evolution and it fails with the following
> messages appearing in dmesg:
[...]
> Is this the same bug or something else?

Something different.  I would suspect a hardware fault.

Comment 7 Andrea Dell'Amico 2006-04-14 01:07:25 UTC
It crashes for me too. I'm using pilot-link 0.11.8-12.2.fc5 from
updates-testing, the stack trace is:

*** buffer overflow detected ***: /usr/bin/pilot-xfer terminated
======= Backtrace: =========
/lib/libc.so.6(__chk_fail+0x41)[0xce3965]
/lib/libc.so.6(__ptsname_r_chk+0x0)[0xce3fa8]
/usr/lib/libpisock.so.8(pilot_connect+0x11c)[0x66ebdc]
/usr/bin/pilot-xfer[0x80498be]
/usr/bin/pilot-xfer[0x8049a15]
/usr/bin/pilot-xfer[0x804a833]
/lib/libc.so.6(__libc_start_main+0xdc)[0xc1d7e4]
/usr/bin/pilot-xfer[0x8049431]
======= Memory map: ========
00668000-0068c000 r-xp 00000000 fd:00 1604705    /usr/lib/libpisock.so.8.0.5
0068c000-00690000 rwxp 00023000 fd:00 1604705    /usr/lib/libpisock.so.8.0.5
00863000-008a3000 r-xp 00000000 fd:00 1595303    /usr/lib/libncurses.so.5.5
008a3000-008ab000 rwxp 00040000 fd:00 1595303    /usr/lib/libncurses.so.5.5
008ab000-008ac000 rwxp 008ab000 00:00 0
00bea000-00beb000 r-xp 00bea000 00:00 0          [vdso]
00beb000-00c04000 r-xp 00000000 fd:00 519231     /lib/ld-2.4.so
00c04000-00c05000 r-xp 00018000 fd:00 519231     /lib/ld-2.4.so
00c05000-00c06000 rwxp 00019000 fd:00 519231     /lib/ld-2.4.so
00c08000-00d34000 r-xp 00000000 fd:00 521764     /lib/libc-2.4.so
00d34000-00d37000 r-xp 0012b000 fd:00 521764     /lib/libc-2.4.so
00d37000-00d38000 rwxp 0012e000 fd:00 521764     /lib/libc-2.4.so
00d38000-00d3b000 rwxp 00d38000 00:00 0
00d64000-00d66000 r-xp 00000000 fd:00 521766     /lib/libdl-2.4.so
00d66000-00d67000 r-xp 00001000 fd:00 521766     /lib/libdl-2.4.so
00d67000-00d68000 rwxp 00002000 fd:00 521766     /lib/libdl-2.4.so
00d92000-00dbe000 r-xp 00000000 fd:00 1601968    /usr/lib/libreadline.so.5.0
00dbe000-00dc2000 rwxp 0002c000 fd:00 1601968    /usr/lib/libreadline.so.5.0
00dc2000-00dc3000 rwxp 00dc2000 00:00 0
07ea2000-07ead000 r-xp 00000000 fd:00 521768     /lib/libgcc_s-4.1.0-20060304.so.1
07ead000-07eae000 rwxp 0000a000 fd:00 521768     /lib/libgcc_s-4.1.0-20060304.so.1
08048000-0804d000 r-xp 00000000 fd:00 1604694    /usr/bin/pilot-xfer
0804d000-0804e000 rw-p 00005000 fd:00 1604694    /usr/bin/pilot-xfer
097ec000-0980d000 rw-p 097ec000 00:00 0          [heap]
b7f49000-b7f4b000 rw-p b7f49000 00:00 0
b7f62000-b7f63000 rw-p b7f62000 00:00 0
bf84c000-bf862000 rw-p bf84c000 00:00 0          [stack]
Aborted


Comment 8 Ngo Than 2006-04-14 16:17:29 UTC
it's now fixed in 0.11.8-12.3.fc5. It will be available in fc5-update-testing
soon. Many thanks for your report.

Comment 9 Frank Ch. Eigler 2006-04-21 18:10:54 UTC
*** Bug 186684 has been marked as a duplicate of this bug. ***


Note You need to log in before you can comment on or make changes to this bug.