Date: Sun, 19 Nov 2000 10:48:00 -0500 From: "Daniel M. Eischen" <eischen@vigrid.com> To: current@freebsd.org Subject: pccardd dies with SIGSEGV [PATCH included] Message-ID: <3A17F630.6E1B6F45@vigrid.com>
next in thread | raw e-mail | index | archive | help
This is a multi-part message in MIME format. --------------3A4C922084D75946AE21466B Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Many weeks ago, I noticed that pccardd died with a SIGSEGV when I inserted my Motorola Montana 33.6 fax/modem. I'm not sure of the exact time as to when this occurred, but I know that pccardd had been working just fine with this card. I finally found the time to track down the problem (now that I really need to use it). Here's an excerpt from `pccardc dumpcis`: Tuple #2, code = 0x15 (Version 1 info), length = 39 000: 04 01 4d 6f 74 6f 72 6f 6c 61 00 4d 4f 4e 54 41 010: 4e 41 20 33 33 2e 36 20 46 41 58 2f 4d 4f 44 45 020: 4d 00 56 32 2e 30 00 Version = 4.1, Manuf = [Motorola], card vers = [MONTANA 33.6 FAX/MODEM] Addit. info = [V2.0],[] ^^ Note this field is empty When pccardd reads the field above, the length is supposedly 4, but garbage is read in and the field is not terminated with a null character. This causes problems later on when the field is copied using strdup(). Attach is a patch that fixes the problem for me. I can offer a `pccardc dumpcis` and a full gdb session that shows the problem to anyone interested. -- Dan Eischen --------------3A4C922084D75946AE21466B Content-Type: text/plain; charset=us-ascii; name="read_cis.diffs" Content-Transfer-Encoding: 7bit Content-Disposition: inline; filename="read_cis.diffs" Index: readcis.c =================================================================== RCS file: /opt/b/CVS/src/usr.sbin/pccard/pccardd/readcis.c,v retrieving revision 1.20 diff -u -r1.20 readcis.c --- readcis.c 2000/06/18 20:22:11 1.20 +++ readcis.c 2000/11/19 16:30:57 @@ -202,7 +202,9 @@ cp->manuf = NULL; } if (len > 1 && *p != 0xff) { - cp->manuf = strdup(p); + /* cp->manuf = strdup(p); */ + cp->manuf = xmalloc(len + 1); + strncat(cp->manuf, p, len); while (*p++ && --len > 0); } if (cp->vers) { --------------3A4C922084D75946AE21466B-- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-current" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?3A17F630.6E1B6F45>