Bug 58884 - parse_pnp_string() goes past end of alloced string causing seg fault
Summary: parse_pnp_string() goes past end of alloced string causing seg fault
Alias: None
Product: Red Hat Raw Hide
Classification: Retired
Component: kudzu
Version: 1.0
Hardware: i386
OS: Linux
Target Milestone: ---
Assignee: Bill Nottingham
QA Contact: David Lawrence
Depends On:
TreeView+ depends on / blocked
Reported: 2002-01-26 18:24 UTC by George Hawkins
Modified: 2014-03-17 02:25 UTC (History)
1 user (show)

Clone Of:
Last Closed: 2002-01-27 00:50:31 UTC

Attachments (Terms of Use)
A patch to serial.c that fixes this bug (894 bytes, patch)
2002-01-27 00:50 UTC, George Hawkins
no flags Details | Diff

Description George Hawkins 2002-01-26 18:24:26 UTC
The following bug is present in the version of kudzu-0.99.23-1 that
comes with RedHat 7.2 and is still present in the latest version (as
of January 26th, 2002) kudzu-0.99.45-1.

When running kudzu on my system the function parse_pnp_string() (in the 
file "serial.c") is called with the following arguments:

    int pnp_len = 11
    unsigned char* pnp_id_string =
      { '~', 0x16, 0x8, '0', '(', '4', '9', ')', 'q', 0x19, 0x7f, 0x0 }

Note pnp_id_string contains both the BeginPnP1 '(' character and the
BeginPnP2 0x08 character but only the EndPnP1 ')' character - it does
not contain the EndPnP2 0x09 character.

pnp_id_string is copied into the memory pointed to by the local variable

So then the piece of code marked by the comment

  /* first find the start of the PnP part of string */

finds the two begin characters and the following code chooses the
BeginPnP2 character over the BeginPnP1 character as it is nearer to the
start of the string.

So now we're in trouble as we hit the code marked by the comment

  /* we need to xlate data in PnP fields */

as the following code adds 0x20 to each character but runs over the
end of pnp_string as it does not find the EndPnP2 character.

On my system it zips on through memory and overwrites the local
variables before hitting a 0x09 somewhere. And so it's actually the
memcpy() just below that actually causes kudzu to exit with a
'Segmentation fault' as pnp_string now no longer points to a valid area
of memory.

Comment 1 George Hawkins 2002-01-27 00:50:26 UTC
Created attachment 43637 [details]
A patch to serial.c that fixes this bug

Comment 2 Bill Nottingham 2002-02-25 17:58:28 UTC
Will be fixed in 0.99.48-1; thanks!

Note You need to log in before you can comment on or make changes to this bug.