59664 – segfault in "qmicli -d /dev/cdc-wdm2 --nas-get-system-info"

Bug 59664 - segfault in "qmicli -d /dev/cdc-wdm2 --nas-get-system-info"

Summary: segfault in "qmicli -d /dev/cdc-wdm2 --nas-get-system-info"

Status:	RESOLVED FIXED

Alias:	None

Product:	libqmi
Classification:	Unclassified
Component:	libqmi (show other bugs)
Version:	unspecified
Hardware:	Other All

Importance:	medium minor
Assignee:	Dan Williams
QA Contact:

URL:
Whiteboard:
Keywords:

Depends on:
Blocks:

Reported:	2013-01-21 14:42 UTC by Jeroen Massar
Modified:	2013-01-22 17:02 UTC (History)
CC List:	1 user (show)

See Also:
i915 platform:
i915 features:

Attachments

Description Jeroen Massar 2013-01-21 14:42:44 UTC

I am playing with libqmi and got a segfault:

{{{
bliss:/tmp# gdb qmicli
GNU gdb (GDB) 7.4.1-debian
Copyright (C) 2012 Free Software Foundation, Inc.
License GPLv3+: GNU GPL version 3 or later <http://gnu.org/licenses/gpl.html>
This is free software: you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law.  Type "show copying"
and "show warranty" for details.
This GDB was configured as "x86_64-linux-gnu".
For bug reporting instructions, please see:
<http://www.gnu.org/software/gdb/bugs/>...
Reading symbols from /usr/bin/qmicli...Reading symbols from /usr/lib/debug/.build-id/24/a16d5ae2add04c47c4e68258b5e88d75ffdac7.debug...done.
done.
(gdb) r -d /dev/cdc-wdm2 --nas-get-system-info
Starting program: /usr/bin/qmicli -d /dev/cdc-wdm2 --nas-get-system-info
[Thread debugging using libthread_db enabled]
Using host libthread_db library "/lib/x86_64-linux-gnu/libthread_db.so.1".
[New Thread 0x7ffff59b1700 (LWP 23028)]
[/dev/cdc-wdm2] Successfully got system info:
	GSM service:
		Status: 'none'
		True Status: 'none'
		Preferred data path: 'no'
	WCDMA service:
		Status: 'available'
		True Status: 'available'
		Preferred data path: 'no'
		Domain: 'cs-ps'
		Service capability: 'cs-ps'
		Roaming status: 'off'
		Forbidden: 'no'
		Location Area Code: '1234'
		Cell ID: '12345'
		MCC: '123'

Program received signal SIGSEGV, Segmentation fault.
0x00007ffff6ef8e21 in ?? () from /lib/x86_64-linux-gnu/libc.so.6
(gdb) bt
#0  0x00007ffff6ef8e21 in ?? () from /lib/x86_64-linux-gnu/libc.so.6
#1  0x00007ffff6ee098e in fputs () from /lib/x86_64-linux-gnu/libc.so.6
#2  0x00007ffff7593baf in g_print () from /lib/x86_64-linux-gnu/libglib-2.0.so.0
#3  0x0000000000419668 in get_system_info_ready (client=<optimized out>, res=<optimized out>) at qmicli-nas.c:1394
#4  0x00007ffff7afa537 in g_simple_async_result_complete () from /usr/lib/x86_64-linux-gnu/libgio-2.0.so.0
#5  0x00007ffff72836c0 in get_system_info_ready (device=<optimized out>, res=<optimized out>, simple=0x63bea0) at qmi-nas.c:55078
#6  0x00007ffff7afa537 in g_simple_async_result_complete () from /usr/lib/x86_64-linux-gnu/libgio-2.0.so.0
#7  0x00007ffff7afa639 in ?? () from /usr/lib/x86_64-linux-gnu/libgio-2.0.so.0
#8  0x00007ffff758c355 in g_main_context_dispatch () from /lib/x86_64-linux-gnu/libglib-2.0.so.0
#9  0x00007ffff758c688 in ?? () from /lib/x86_64-linux-gnu/libglib-2.0.so.0
#10 0x00007ffff758ca82 in g_main_loop_run () from /lib/x86_64-linux-gnu/libglib-2.0.so.0
#11 0x00000000004107e3 in main (argc=1, argv=0x7fffffffec48) at qmicli.c:527
(gdb)
(gdb) up
#1  0x00007ffff6ee098e in fputs () from /lib/x86_64-linux-gnu/libc.so.6
(gdb) up
#2  0x00007ffff7593baf in g_print () from /lib/x86_64-linux-gnu/libglib-2.0.so.0
(gdb) up
#3  0x0000000000419668 in get_system_info_ready (client=<optimized out>, res=<optimized out>) at qmicli-nas.c:1394
1394	                        g_print ("\t\tMNC: '%.3s'\n", mnc);
(gdb) p mnc
$1 = (const gchar *) 0x643134 "01\377"
(gdb) p mnc[0]
$2 = 48 '0'
(gdb) p mnc[1]
$3 = 49 '1'
(gdb) p mnc[2]
$4 = -1 '\377' 
}}}

Related Code:
{{{
                if (network_id_valid) {
                    g_print ("\t\tMCC: '%s'\n", mcc);
                    if (mnc[2] == 0xFF)
                        g_print ("\t\tMNC: '%.2s'\n", mnc);
                    else
                        g_print ("\t\tMNC: '%.3s'\n", mnc);
                }
}}}

In theory this should be fine, as one is only printing two chars, but I am not sure if g_print will actually still read till the end of the (null-terminated) string. Might just want to print 2/3 %c's instead.

Changing it to:
{{{
                if (network_id_valid) {
                    if (mnc[2] == 0xFF)
                        g_print ("\t\tMNC: '%c%c'\n", mnc[0], mnc[1]);
                    else
                        g_print ("\t\tMNC: '%c%c%c'\n", mnc[0], mnc[1], mnc[2]);
                }
}}}

Results in:
{{{
(gdb) r -d /dev/cdc-wdm2 --nas-get-system-info
Starting program: /tmp/pkg-libqmi/cli/.libs/qmicli -d /dev/cdc-wdm2 --nas-get-system-info
[Thread debugging using libthread_db enabled]
Using host libthread_db library "/lib/x86_64-linux-gnu/libthread_db.so.1".
[New Thread 0x7ffff59b1700 (LWP 28575)]
[/dev/cdc-wdm2] Successfully got system info:
	GSM service:
		Status: 'none'
		True Status: 'none'
		Preferred data path: 'no'
	WCDMA service:
		Status: 'available'
		True Status: 'available'
		Preferred data path: 'no'
		Domain: 'cs-ps'
		Service capability: 'cs-ps'
		Roaming status: 'off'
		Forbidden: 'no'
		Location Area Code: '1234'
		Cell ID: '12345'
		MCC: '123'
		MNC: '12?'
		HS call status: 'hsdpa-hsupa-unsupported'
		HS service: 'hsdpa-hsupa-unsupported'
		Cell broadcast support: 'off'
		Call barring status (CS): 'unknown'
		Call barring status (PS): 'unknown'
		Cipher Domain: 'none'
	LTE service:
		Status: 'none'
		True Status: 'none'
		Preferred data path: 'no'
[Thread 0x7ffff7fea7a0 (LWP 28572) exited]
[Inferior 1 (process 28572) exited normally]
}}}

Comment 1 Aleksander Morgado 2013-01-22 15:08:34 UTC

With your change in...

> 		MCC: '123'
> 		MNC: '12?'

how come you got the '?' here?

Comment 2 Jeroen Massar 2013-01-22 15:57:47 UTC

(In reply to comment #1)
> With your change in...
> 
> > 		MCC: '123'
> > 		MNC: '12?'
> 
> how come you got the '?' here?

Like because of UTF-8 as all my terminals are configured to use that.

It is -1 according to gdb, maybe the datatype of the variable causes it, though 0xff would be an unknown char...

Comment 3 Aleksander Morgado 2013-01-22 16:08:57 UTC


> > With your change in...
> > 
> > > 		MCC: '123'
> > > 		MNC: '12?'
> > 
> > how come you got the '?' here?
> 
> Like because of UTF-8 as all my terminals are configured to use that.
> 
> It is -1 according to gdb, maybe the datatype of the variable causes it,
> though 0xff would be an unknown char...

But wouldn't it only be printing two chars?

   if (mnc[2] == 0xFF)
       g_print ("\t\tMNC: '%c%c'\n", mnc[0], mnc[1]);

Comment 4 Aleksander Morgado 2013-01-22 16:11:09 UTC

(In reply to comment #3)
> 
> > > With your change in...
> > > 
> > > > 		MCC: '123'
> > > > 		MNC: '12?'
> > > 
> > > how come you got the '?' here?
> > 
> > Like because of UTF-8 as all my terminals are configured to use that.
> > 
> > It is -1 according to gdb, maybe the datatype of the variable causes it,
> > though 0xff would be an unknown char...
> 
> But wouldn't it only be printing two chars?
> 
>    if (mnc[2] == 0xFF)
>        g_print ("\t\tMNC: '%c%c'\n", mnc[0], mnc[1]);

Oh, sign issue maybe? Try with:
    if ((guchar)mnc[2] == 0xFF)

Comment 5 Aleksander Morgado 2013-01-22 16:15:22 UTC

(In reply to comment #4)
> (In reply to comment #3)
> > 
> > > > With your change in...
> > > > 
> > > > > 		MCC: '123'
> > > > > 		MNC: '12?'
> > > > 
> > > > how come you got the '?' here?
> > > 
> > > Like because of UTF-8 as all my terminals are configured to use that.
> > > 
> > > It is -1 according to gdb, maybe the datatype of the variable causes it,
> > > though 0xff would be an unknown char...
> > 
> > But wouldn't it only be printing two chars?
> > 
> >    if (mnc[2] == 0xFF)
> >        g_print ("\t\tMNC: '%c%c'\n", mnc[0], mnc[1]);
> 
> Oh, sign issue maybe? Try with:
>     if ((guchar)mnc[2] == 0xFF)

Indeed that's the problem. So the print with .2 or .3 is ok, it's just that it does never get into the if()

Will change that.

Comment 6 Aleksander Morgado 2013-01-22 16:18:53 UTC

Fixed in commit 9e60ef6c0f3e6ac579fb360481488c5ed00382cc.

Comment 7 Jeroen Massar 2013-01-22 17:02:25 UTC

(In reply to comment #6)
> Fixed in commit 9e60ef6c0f3e6ac579fb360481488c5ed00382cc.

Great! I love seeing that bugs (even a trivial one like this ;) get fixed quickly, thanks and keep up the work!


(now for the package to go officially into debian, until then the package from alioth works fine)

Use of freedesktop.org services, including Bugzilla, is subject to our Code of Conduct. How we collect and use information is described in our Privacy Policy.