Note: This is a beta release of Red Hat Bugzilla 5.0. The data contained within is a snapshot of the live data so any changes you make will not be reflected in the production Bugzilla. Also email is disabled so feel free to test any aspect of the site that you want. File any problems you find or give feedback here.
Bug 230991 - obexftpd(1) segfault
Summary: obexftpd(1) segfault
Keywords:
Status: CLOSED CURRENTRELEASE
Alias: None
Product: Fedora
Classification: Fedora
Component: obexftp
Version: rawhide
Hardware: i686
OS: Linux
medium
urgent
Target Milestone: ---
Assignee: Dominik 'Rathann' Mierzejewski
QA Contact: Fedora Extras Quality Assurance
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2007-03-05 12:48 UTC by Jan Kratochvil
Modified: 2007-11-30 22:11 UTC (History)
0 users

Fixed In Version: 0.22-0.2.pre4
Doc Type: Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed: 2007-03-27 19:42:16 UTC


Attachments (Terms of Use)
Text output (deleted)
2007-03-05 12:48 UTC, Jan Kratochvil
no flags Details
core file (deleted)
2007-03-05 12:50 UTC, Jan Kratochvil
no flags Details
rpm -qa (deleted)
2007-03-05 12:51 UTC, Jan Kratochvil
no flags Details
Fixed text output (deleted)
2007-03-05 12:53 UTC, Jan Kratochvil
no flags Details
File reader memory corruption fix (deleted)
2007-03-26 09:12 UTC, Jan Kratochvil
no flags Details | Diff

Description Jan Kratochvil 2007-03-05 12:48:09 UTC
Description of problem:
First I tried obexftpd(1) it just always crashes.

Version-Release number of selected component (if applicable):
obexftp-0.20-3.fc7.i386

How reproducible:
Always.

Steps to Reproduce:
1. obexftpd -b
2. On Vodafone Japan 802SE (branded SonyEricsson V800) click "browse"

Actual results:
*** buffer overflow detected ***: obexftpd terminated
[attached]

Expected results:
Something I have never seen, without the segfault.

Additional info:
More debugging upon request.

Comment 1 Jan Kratochvil 2007-03-05 12:48:10 UTC
Created attachment 149257 [details]
Text output

Comment 2 Jan Kratochvil 2007-03-05 12:50:32 UTC
Created attachment 149258 [details]
core file

Comment 3 Jan Kratochvil 2007-03-05 12:51:48 UTC
Created attachment 149259 [details]
rpm -qa

Comment 4 Jan Kratochvil 2007-03-05 12:53:57 UTC
Created attachment 149260 [details]
Fixed text output

Attachment in Comment 2 looks borken, copy-pasted + reattached.

Comment 5 Dominik 'Rathann' Mierzejewski 2007-03-25 14:38:37 UTC
I cannot reproduce this, because none of the phones I have at hand have such
feature. I've updated obexftp to 0.22-pre4. Should be in tomorrow's rawhide.
Please test.

Comment 6 Jan Kratochvil 2007-03-26 08:35:04 UTC
Interesting you took the maintainership in this case.
It could already display the directory list but it crashes trying to transfer a
file:
name=prophecy.png, size=1711360
*** buffer overflow detected ***: obexftpd terminated
======= Backtrace: =========
/lib/i686/nosegneg/libc.so.6(__chk_fail+0x41)[0x6f40c1]
/lib/i686/nosegneg/libc.so.6(__read_chk+0x50)[0x6f4550]
obexftpd[0x804a78f]
obexftpd[0x804b248]
/usr/lib/libopenobex.so.1[0xd5655a]
/usr/lib/libopenobex.so.1[0xd587d2]
/usr/lib/libopenobex.so.1[0xd567a7]
/usr/lib/libopenobex.so.1[0xd5828c]
/usr/lib/libopenobex.so.1(OBEX_HandleInput+0x2d)[0xd55f3d]
obexftpd[0x8049684]
obexftpd[0x8049939]
/lib/i686/nosegneg/libc.so.6(__libc_start_main+0xe0)[0x623ec0]
obexftpd[0x80494d1]
======= Memory map: ========
00110000-0011b000 r-xp 00000000 03:05 4187261    /lib/libgcc_s-4.1.2-20070317.so.1
0011b000-0011c000 rwxp 0000a000 03:05 4187261    /lib/libgcc_s-4.1.2-20070317.so.1
00185000-00188000 r-xp 00000000 03:05 21755731   /usr/lib/libbfb.so.0.0.4
00188000-00189000 rwxp 00002000 03:05 21755731   /usr/lib/libbfb.so.0.0.4
002fc000-00302000 r-xp 00000000 03:05 21755733   /usr/lib/libobexftp.so.0.1.0
00302000-00303000 rwxp 00005000 03:05 21755733   /usr/lib/libobexftp.so.0.1.0
005ef000-0060a000 r-xp 00000000 03:05 4187298    /lib/ld-2.5.90.so
0060a000-0060b000 r-xp 0001a000 03:05 4187298    /lib/ld-2.5.90.so
0060b000-0060c000 rwxp 0001b000 03:05 4187298    /lib/ld-2.5.90.so
0060e000-0075e000 r-xp 00000000 03:05 4187299    /lib/i686/nosegneg/libc-2.5.90.so
0075e000-00760000 r-xp 00150000 03:05 4187299    /lib/i686/nosegneg/libc-2.5.90.so
00760000-00761000 rwxp 00152000 03:05 4187299    /lib/i686/nosegneg/libc-2.5.90.so
00761000-00764000 rwxp 00761000 00:00 0 
00d54000-00d5d000 r-xp 00000000 03:05 21754937   /usr/lib/libopenobex.so.1.3.0
00d5d000-00d5e000 rwxp 00008000 03:05 21754937   /usr/lib/libopenobex.so.1.3.0
00efd000-00efe000 r-xp 00efd000 00:00 0          [vdso]
00ff5000-00ff7000 r-xp 00000000 03:05 21755732   /usr/lib/libmulticobex.so.1.0.0
00ff7000-00ff8000 rwxp 00001000 03:05 21755732   /usr/lib/libmulticobex.so.1.0.0
052ae000-052c1000 r-xp 00000000 03:05 21754938   /usr/lib/libbluetooth.so.2.5.0
052c1000-052c2000 rwxp 00013000 03:05 21754938   /usr/lib/libbluetooth.so.2.5.0
059e3000-059e9000 r-xp 00000000 03:05 21754869   /usr/lib/libusb-0.1.so.4.4.4
059e9000-059eb000 rwxp 00006000 03:05 21754869   /usr/lib/libusb-0.1.so.4.4.4
08048000-0804d000 r-xp 00000000 03:05 21443724   /usr/bin/obexftpd
0804d000-0804e000 rw-p 00004000 03:05 21443724   /usr/bin/obexftpd
089ff000-08a20000 rw-p 089ff000 00:00 0 
b7f39000-b7f3c000 rw-p b7f39000 00:00 0 
b7f4f000-b7f50000 rw-p b7f4f000 00:00 0 
bfa0a000-bfa20000 rw-p bfa0a000 00:00 0          [stack]
Aborted


Comment 7 Jan Kratochvil 2007-03-26 09:12:34 UTC
Created attachment 150884 [details]
File reader memory corruption fix

This way it started working for me, thanks for the packaging.
Would you take care of the upstream or should I push it there?

Comment 8 Jan Kratochvil 2007-03-26 09:14:59 UTC
Out of this bug's topic - I can't access any parent directory.
Even after adding <parent-folder /> there so it looks as a bug in my Vodafone
Japan 802SE (branded SonyEricsson V800).  Explicit <folder name=".." /> would
probably help but that would be an ugly workaround.


Comment 9 Dominik 'Rathann' Mierzejewski 2007-03-26 11:58:35 UTC
(In reply to comment #6)
> Interesting you took the maintainership in this case.

I needed obexftp, so I packaged it. I haven't had any need for obexftpd yet.
If you want to co-maintain this, you're most welcome.

(In reply to comment #7)
> Created an attachment (id=150884) [edit]
> File reader memory corruption fix
> 
> This way it started working for me, thanks for the packaging.
> Would you take care of the upstream or should I push it there?

Thank you, I'll forward it upstream.


Comment 10 Dominik 'Rathann' Mierzejewski 2007-03-27 19:42:16 UTC
Patched package built, patch forwarded upstream. Thanks a lot!


Note You need to log in before you can comment on or make changes to this bug.