Skip site navigation (1)Skip section navigation (2) 
Date:      Sun, 19 Nov 2000 10:48:00 -0500
From:      "Daniel M. Eischen" <eischen@vigrid.com>
To:        current@freebsd.org
Subject:   pccardd dies with SIGSEGV [PATCH included]
Message-ID:  <3A17F630.6E1B6F45@vigrid.com>
next in thread | raw e-mail | index | archive | help 
This is a multi-part message in MIME format.
--------------3A4C922084D75946AE21466B
Content-Type: text/plain; charset=us-ascii
Content-Transfer-Encoding: 7bit

Many weeks ago, I noticed that pccardd died with a SIGSEGV when
I inserted my Motorola Montana 33.6 fax/modem.  I'm not sure of
the exact time as to when this occurred, but I know that pccardd
had been working just fine with this card.  I finally found the
time to track down the problem (now that I really need to use it).

Here's an excerpt from `pccardc dumpcis`:

  Tuple #2, code = 0x15 (Version 1 info), length = 39
      000:  04 01 4d 6f 74 6f 72 6f 6c 61 00 4d 4f 4e 54 41
      010:  4e 41 20 33 33 2e 36 20 46 41 58 2f 4d 4f 44 45
      020:  4d 00 56 32 2e 30 00
          Version = 4.1, Manuf = [Motorola], card vers = [MONTANA 33.6 FAX/MODEM]
          Addit. info = [V2.0],[]
                               ^^ Note this field is empty

When pccardd reads the field above, the length is supposedly 4,
but garbage is read in and the field is not terminated with a
null character.  This causes problems later on when the field
is copied using strdup().

Attach is a patch that fixes the problem for me.  I can offer
a `pccardc dumpcis` and a full gdb session that shows the problem
to anyone interested.

-- 
Dan Eischen
--------------3A4C922084D75946AE21466B
Content-Type: text/plain; charset=us-ascii;
 name="read_cis.diffs"
Content-Transfer-Encoding: 7bit
Content-Disposition: inline;
 filename="read_cis.diffs"

Index: readcis.c
===================================================================
RCS file: /opt/b/CVS/src/usr.sbin/pccard/pccardd/readcis.c,v
retrieving revision 1.20
diff -u -r1.20 readcis.c
--- readcis.c	2000/06/18 20:22:11	1.20
+++ readcis.c	2000/11/19 16:30:57
@@ -202,7 +202,9 @@
 		cp->manuf = NULL;
 	}
 	if (len > 1 && *p != 0xff) {
-		cp->manuf = strdup(p);
+		/* cp->manuf = strdup(p); */
+		cp->manuf = xmalloc(len + 1);
+		strncat(cp->manuf, p, len);
 		while (*p++ && --len > 0);
 	}
 	if (cp->vers) {

--------------3A4C922084D75946AE21466B--



To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-current" in the body of the message

Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?3A17F630.6E1B6F45>