Bug 191191 - app-mobilephone/gammu crash while --identify(ing) or --backup(ing)
|
Bug#:
191191
|
Product: Gentoo Linux
|
Version: unspecified
|
Platform: All
|
|
OS/Version: Linux
|
Status: RESOLVED
|
Severity: normal
|
Priority: P2
|
|
Resolution: FIXED
|
Assigned To: mobile-phone@gentoo.org
|
Reported By: tupone@gentoo.org
|
|
Component: Applications
|
|
|
URL:
|
|
Summary: app-mobilephone/gammu crash while --identify(ing) or --backup(ing)
|
|
Keywords:
|
|
Status Whiteboard:
|
|
Opened: 2007-09-03 22:12 0000
|
I attached my Siemens C72 to my desktop and gammu failed, with segment
violation, at least 2 commands.
That is due to non-checking of buffer overflow in several place.
Reproducible: Always
I'm going to submit a patch that fixes these faults, just increasing the size
of the array it is writing into. No guarantee that with a more powerful phone
you will not overflow even the patched one.
Maybe, instead of patching this version, is better to have the 1.13.0 version
in the tree. The 1.13.0 does not need anymore the old patch file, just the new
one, as the 1.13.0 version too is bugged. At least we can hope upstream will
take more into account for the "incoming".
I will test more commands to see what else is bugged.
But this don't fix completely the buffer overflow occured in GSM_GetFirmware.
There are 2 places where firmware buffer overflow will occur: functions
GSM_Init and Backup (both in gammu.c).
Also SaveRingtoneEntry() could be modified to use a much smaller buffer (4096
bytes for instance) and do it safely.
Created an attachment (id=130106) [details]
gammu-1.13.0-fixups.patch
Seems it is not possible to reuse a buffer of fixed length for
SaveRingtoneEntry() so I used dynamic allocation instead.
Please check this patch with your phone.
The patched gammu-1.13.0 is now in the tree. The patch used is the one offered
by upstream.
Thanks!
