[OpenWrt-Devel] [PATCH] wview: fix segmentation fault in WMR USB driver

Sun, 10 Mar 2013 11:35:49 -0700 

Do not overflow the input buffer. This happens on slow hosts that take
long time to recompute the data on start.

Signed-off-by: Paul Fertser <fercer...@gmail.com>
---

This is really important because without this patch the weather daemon
can't start at all after having collected some statistics over the
months.

Please also apply http://patchwork.openwrt.org/patch/3025/ , it is
well-tested by now and is certainly needed for the cool russian
winters :)

 utils/wview/Makefile                               |    2 +-
 .../050-WMRUSB-fix-segfault-buffer-overflow.patch  |   18 ++++++++++++++++++
 2 files changed, 19 insertions(+), 1 deletions(-)
 create mode 100644 
utils/wview/patches/050-WMRUSB-fix-segfault-buffer-overflow.patch

diff --git a/utils/wview/Makefile b/utils/wview/Makefile
index 32e9de6..f231fa7 100644
--- a/utils/wview/Makefile
+++ b/utils/wview/Makefile
@@ -9,7 +9,7 @@ include $(TOPDIR)/rules.mk
 
 PKG_NAME:=wview
 PKG_VERSION:=5.19.0-jgoerzen
-PKG_RELEASE=$(PKG_SOURCE_VERSION)-r1
+PKG_RELEASE=$(PKG_SOURCE_VERSION)-r2
 PKG_SOURCE_URL:=git://github.com/jgoerzen/wview.git
 PKG_SOURCE_VERSION:=7bfac6c11e756290c38e7b5862a4c51b6bc6c51e
 PKG_SOURCE_SUBDIR:=$(PKG_NAME)-$(PKG_VERSION)
diff --git a/utils/wview/patches/050-WMRUSB-fix-segfault-buffer-overflow.patch 
b/utils/wview/patches/050-WMRUSB-fix-segfault-buffer-overflow.patch
new file mode 100644
index 0000000..be518c6
--- /dev/null
+++ b/utils/wview/patches/050-WMRUSB-fix-segfault-buffer-overflow.patch
@@ -0,0 +1,18 @@
+Index: wview-5.19.0-jgoerzen/stations/WMRUSB/wmrusbprotocol.c
+===================================================================
+--- wview-5.19.0-jgoerzen.orig/stations/WMRUSB/wmrusbprotocol.c        
2013-03-10 22:24:28.000000000 +0400
++++ wview-5.19.0-jgoerzen/stations/WMRUSB/wmrusbprotocol.c     2013-03-10 
22:25:01.000000000 +0400
+@@ -897,8 +897,11 @@
+ // Read raw USB data and buffer it for later processing:
+ void wmrReadData (WVIEWD_WORK *work, WMRUSB_MSG_DATA* msg)
+ {
+-    memcpy(&wmrWork.readData[wmrWork.readIndex], msg->data, msg->length);
+-    wmrWork.readIndex += msg->length;
++    if (wmrWork.readIndex + msg->length <= WMR_BUFFER_LENGTH)
++    {
++        memcpy(&wmrWork.readData[wmrWork.readIndex], msg->data, msg->length);
++        wmrWork.readIndex += msg->length;
++    }
+ 
+     return;
+ }
-- 
1.7.3.4

_______________________________________________
openwrt-devel mailing list
openwrt-devel@lists.openwrt.org
https://lists.openwrt.org/mailman/listinfo/openwrt-devel

Reply via email to