Bug 58884 - parse_pnp_string() goes past end of alloced string causing seg fault
parse_pnp_string() goes past end of alloced string causing seg fault
Status: CLOSED RAWHIDE
Product: Red Hat Raw Hide
Classification: Retired
Component: kudzu (Show other bugs)
1.0
i386 Linux
medium Severity high
: ---
: ---
Assigned To: Bill Nottingham
David Lawrence
:
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2002-01-26 13:24 EST by George Hawkins
Modified: 2014-03-16 22:25 EDT (History)
1 user (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2002-01-26 19:50:31 EST
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)
A patch to serial.c that fixes this bug (894 bytes, patch)
2002-01-26 19:50 EST, George Hawkins
no flags Details | Diff

  None (edit)
Description George Hawkins 2002-01-26 13:24:26 EST
The following bug is present in the version of kudzu-0.99.23-1 that
comes with RedHat 7.2 and is still present in the latest version (as
of January 26th, 2002) kudzu-0.99.45-1.

When running kudzu on my system the function parse_pnp_string() (in the 
file "serial.c") is called with the following arguments:

    int pnp_len = 11
    unsigned char* pnp_id_string =
      { '~', 0x16, 0x8, '0', '(', '4', '9', ')', 'q', 0x19, 0x7f, 0x0 }

Note pnp_id_string contains both the BeginPnP1 '(' character and the
BeginPnP2 0x08 character but only the EndPnP1 ')' character - it does
not contain the EndPnP2 0x09 character.

pnp_id_string is copied into the memory pointed to by the local variable
pnp_string.

So then the piece of code marked by the comment

  /* first find the start of the PnP part of string */

finds the two begin characters and the following code chooses the
BeginPnP2 character over the BeginPnP1 character as it is nearer to the
start of the string.

So now we're in trouble as we hit the code marked by the comment

  /* we need to xlate data in PnP fields */

as the following code adds 0x20 to each character but runs over the
end of pnp_string as it does not find the EndPnP2 character.

On my system it zips on through memory and overwrites the local
variables before hitting a 0x09 somewhere. And so it's actually the
memcpy() just below that actually causes kudzu to exit with a
'Segmentation fault' as pnp_string now no longer points to a valid area
of memory.
Comment 1 George Hawkins 2002-01-26 19:50:26 EST
Created attachment 43637 [details]
A patch to serial.c that fixes this bug
Comment 2 Bill Nottingham 2002-02-25 12:58:28 EST
Will be fixed in 0.99.48-1; thanks!

Note You need to log in before you can comment on or make changes to this bug.