Re: [Openhpi-devel] few issues in trunk

Dan Horák Thu, 05 Feb 2009 05:53:24 -0800

Dan Horák píše v Čt 05. 02. 2009 v 11:39 +0100:
> Dan Horák píše v St 04. 02. 2009 v 16:32 +0100:
> > Hi all,
> > 
> > I have found few issues in the recent trunk of openhpi. They are
> 
> > - at least 3 failing tests (no analysis yet)
> > sahpi_struct_utils_test (buffer overflow with gcc 4.4, not present with
> > gcc 4.3 -
> > https://koji.fedoraproject.org/koji/getfile?taskID=1103811&name=build.log)
> 
> Analysis is here:
> 
> (gdb) where
> #0  0x00007fda66fb9f55 in raise () from /lib64/libc.so.6
> #1  0x00007fda66fbbac3 in abort () from /lib64/libc.so.6
> #2  0x00007fda66ff94e8 in __libc_message () from /lib64/libc.so.6
> #3  0x00007fda67086717 in __fortify_fail () from /lib64/libc.so.6
> #4  0x00007fda670845c0 in __chk_fail () from /lib64/libc.so.6
> #5  0x00007fda670837cd in __strncpy_chk () from /lib64/libc.so.6
> #6  0x00000000004033e8 in strncpy (__len=<value optimized out>, __src=<value 
> optimized out>, 
>     __dest=<value optimized out>) at /usr/include/bits/string3.h:122
> #7  main (argc=<value optimized out>, argv=<value optimized out>) at 
> sahpi_struct_utils_test.c:1317
> 
> (gdb) l 1317
> 1312          /* oh_print_ctrlrec: Normal stream testcase */
> 1313          control.Type = SAHPI_CTRL_TYPE_STREAM;
> 1314          control.TypeUnion.Stream.Default.Repeat = SAHPI_TRUE;
> 1315          control.TypeUnion.Stream.Default.StreamLength = strlen("Stream 
> Data");
> 1316          memset(&control.TypeUnion.Stream.Default.Stream, 0, 
> sizeof(SAHPI_CTRL_MAX_STREAM_LENGTH));
> 1317          strncpy((char *)control.TypeUnion.Stream.Default.Stream, 
> "Stream Data" , strlen("Stream Data"));
> 1318          
> 1319          printf("Print control - normal stream case\n");
> 1320          err = oh_print_ctrlrec(&control, 1);
> 1321          if (err) {
> 
> the problem is in the fact that strncpy (line 1317) is copying a string
> with length = 11 into a too small space (array of 4 members of uint8)
> defined below
> 
> sahpi_struct_utils_test.c:1255
> 
> SaHpiCtrlRecT control;
> 
> 
> relevant parts of include/SaHpi.h:
> 
> #define SAHPI_CTRL_MAX_STREAM_LENGTH 4
> typedef struct {
>     SaHpiBoolT   Repeat;       /* Repeat flag */
>     SaHpiUint32T StreamLength; /* Length of the data, in bytes,
>                                  stored in the stream. */
>     SaHpiUint8T  Stream[SAHPI_CTRL_MAX_STREAM_LENGTH];
> } SaHpiCtrlStateStreamT;
> 
> typedef struct {
>    SaHpiCtrlStateStreamT  Default;
> } SaHpiCtrlRecStreamT;
> 
> typedef union {
>     SaHpiCtrlRecDigitalT  Digital;
>     SaHpiCtrlRecDiscreteT Discrete;
>     SaHpiCtrlRecAnalogT   Analog;
>     SaHpiCtrlRecStreamT   Stream;
>     SaHpiCtrlRecTextT     Text;
>     SaHpiCtrlRecOemT      Oem;
> } SaHpiCtrlRecUnionT;
> 
> typedef struct {
>     SaHpiCtrlNumT         Num;         /* Control Number/Index */
>     SaHpiCtrlOutputTypeT  OutputType;
>     SaHpiCtrlTypeT        Type;        /* Type of Control */
>     SaHpiCtrlRecUnionT    TypeUnion;   /* Specific Control record */
>     SaHpiCtrlDefaultModeT DefaultMode; /*Indicates if the Control comes up
>                                          in Auto or Manual mode. */
>     SaHpiBoolT            WriteOnly;   /* Indicates if the Control is
>                                           write-only. */
>     SaHpiUint32T          Oem;         /* Reserved for OEM use */
> } SaHpiCtrlRecT;
>


Same issue exists in the next lines too. The attached patch makes the
sahpi_struct_utils_test to compile and run successfully, but I am not
sure whether it is correct in relation with the standards and the goal
of this test.

New bug opened as
https://sourceforge.net/tracker2/?func=detail&aid=2568358&group_id=71730&atid=532251


                Dan

>From 60bbfb63425de0788bbe973bff06f0ccbc91b75d Mon Sep 17 00:00:00 2001
From: Dan Horak <[email protected]>
Date: Thu, 5 Feb 2009 12:15:23 +0100
Subject: [PATCH] fix buffer overflow in tests

---
 utils/t/sahpi/sahpi_struct_utils_test.c |   18 +++++++-----------
 1 files changed, 7 insertions(+), 11 deletions(-)

diff --git a/utils/t/sahpi/sahpi_struct_utils_test.c b/utils/t/sahpi/sahpi_struct_utils_test.c
index d2733da..1baad4f 100644
--- a/utils/t/sahpi/sahpi_struct_utils_test.c
+++ b/utils/t/sahpi/sahpi_struct_utils_test.c
@@ -1312,9 +1312,8 @@ int main(int argc, char **argv)
 	/* oh_print_ctrlrec: Normal stream testcase */
 	control.Type = SAHPI_CTRL_TYPE_STREAM;
 	control.TypeUnion.Stream.Default.Repeat = SAHPI_TRUE;
-	control.TypeUnion.Stream.Default.StreamLength = strlen("Stream Data");
-	memset(&control.TypeUnion.Stream.Default.Stream, 0, sizeof(SAHPI_CTRL_MAX_STREAM_LENGTH));
-        strncpy((char *)control.TypeUnion.Stream.Default.Stream, "Stream Data" , strlen("Stream Data"));
+	control.TypeUnion.Stream.Default.StreamLength = MIN(SAHPI_CTRL_MAX_STREAM_LENGTH, strlen("Stream Data"));
+        strncpy((char *)control.TypeUnion.Stream.Default.Stream, "Stream Data", SAHPI_CTRL_MAX_STREAM_LENGTH);
 	
 	printf("Print control - normal stream case\n");
 	err = oh_print_ctrlrec(&control, 1);
@@ -1333,9 +1332,8 @@ int main(int argc, char **argv)
 	control.TypeUnion.Text.Default.Line = 1;
 	control.TypeUnion.Text.Default.Text.DataType = SAHPI_TL_TYPE_TEXT;
 	control.TypeUnion.Text.Default.Text.Language = SAHPI_LANG_ENGLISH;
-	memset(&control.TypeUnion.Text.Default.Text.Data, 0, sizeof(SAHPI_MAX_TEXT_BUFFER_LENGTH));
-	control.TypeUnion.Text.Default.Text.DataLength = strlen("Text Data");
-        strncpy((char *)(control.TypeUnion.Text.Default.Text.Data), "Text Data" , strlen("Text Data"));
+	control.TypeUnion.Text.Default.Text.DataLength = MIN(SAHPI_MAX_TEXT_BUFFER_LENGTH, strlen("Text Data"));
+        strncpy((char *)(control.TypeUnion.Text.Default.Text.Data), "Text Data", SAHPI_MAX_TEXT_BUFFER_LENGTH);
 	
 	printf("Print control - normal text case\n");
 	err = oh_print_ctrlrec(&control, 1);
@@ -1348,12 +1346,10 @@ int main(int argc, char **argv)
 	/* oh_print_ctrlrec: Normal oem testcase */
 	control.Type = SAHPI_CTRL_TYPE_OEM;
 	control.TypeUnion.Oem.MId = 1;
-	memset(&control.TypeUnion.Oem.ConfigData, 0, SAHPI_CTRL_MAX_OEM_BODY_LENGTH);
-	strncpy((char *)control.TypeUnion.Oem.ConfigData, "Config Data", strlen("Config Data"));
+	strncpy((char *)control.TypeUnion.Oem.ConfigData, "Config Data", SAHPI_CTRL_OEM_CONFIG_LENGTH);
 	control.TypeUnion.Oem.Default.MId = 1;
-	control.TypeUnion.Oem.Default.BodyLength = strlen("Config Default");
-	memset(&control.TypeUnion.Oem.Default.Body, 0, SAHPI_CTRL_MAX_OEM_BODY_LENGTH);
-	strncpy((char *)control.TypeUnion.Oem.Default.Body, "Config Default", strlen("Config Default")); 
+	control.TypeUnion.Oem.Default.BodyLength = MIN(SAHPI_CTRL_MAX_OEM_BODY_LENGTH, strlen("Config Default"));
+	strncpy((char *)control.TypeUnion.Oem.Default.Body, "Config Default", SAHPI_CTRL_MAX_OEM_BODY_LENGTH); 
 	
 	printf("Print control - normal OEM case\n");
 	err = oh_print_ctrlrec(&control, 1);
-- 
1.6.0.6

------------------------------------------------------------------------------
Create and Deploy Rich Internet Apps outside the browser with Adobe(R)AIR(TM)
software. With Adobe AIR, Ajax developers can use existing skills and code to
build responsive, highly engaging applications that combine the power of local
resources and data with the reach of the web. Download the Adobe AIR SDK and
Ajax docs to start building applications today-http://p.sf.net/sfu/adobe-com

_______________________________________________
Openhpi-devel mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/openhpi-devel

Re: [Openhpi-devel] few issues in trunk

Reply via email to