Segfault on Memset

[jimycn]

Hi

got segfault on memset , i could bt the segfault , but when i try to show the value of variables , gdb says no symbol for them , so i read memset document , but i myself can't see anything wrong about the code , but i am quite sure for guys who have deep knowledge the bug might be clear , so i ask here , does anybody know how this segfault

Program received signal SIGSEGV, Segmentation fault.
[Switching to LWP 2039]
0x29815294 in memset () from /lib/libc.so.6
(gdb) bt
#0 0x29815294 in memset () from /lib/libc.so.6
#1 0x0042b2c6 in camd35_send_ecm (client=0x4cf240, er=0x4d1028,
buf=0x2b0e8d28 "") at module-camd35.c:582
#2 0x00426a8c in casc_process_ecm (reader=0x4c1570, er=0x4f12e0)
at oscam-reader.c:445
#3 0x00426ed6 in reader_get_ecm (reader=0x4c1570, er=0x4f12e0)
at oscam-reader.c:512
#4 0x004278b2 in reader_do_pipe (reader=0x4c1570) at oscam-reader.c:781
#5 0x00427a2c in reader_main (reader=0x4c1570) at oscam-reader.c:820
#6 0x00427c5e in start_cardreader (rdr=0x4c1570) at oscam-reader.c:898
#7 0x29799486 in ?? () from /lib/libpthread.so.0
Backtrace stopped: frame did not save the PC

the second memset probably cause this segfault :\

Code:

    memset(buf, 0, 20); 

    memset(buf + 20, 0xff, er->l+15);

Line 35 (second memset) is equal to module-camd35.c line 582 , which in segfault log , in frame 1 is mentioned

Code:

static int32_t camd35_send_ecm(struct s_client *client, ECM_REQUEST *er, uchar *buf) 

{     
static const char *typtext[]={"ok", "invalid", "sleeping"};   
   if (client->stopped) { 
        if (er->srvid == client->lastsrvid && er->caid == client->lastcaid && er->pid == client->lastpid){ 
            cs_log("%s is stopped - requested by server (%s)", 
                    client->reader->label, typtext[client->stopped]); 
            return(-1); 
        } 
        else { 
            client->stopped = 0;    
     } 
    }          client->lastsrvid = er->srvid; 

    client->lastcaid = er->caid; 

    client->lastpid = er->pid;   

   if (client->is_udp) { 

       if (!client->udp_sa.sin_addr.s_addr || client->reader->last_s-client->reader->last_g > client->reader->tcp_rto) 

          if (!hostResolve(client->reader)) return -1; 
    } 
        else { 

         if (!tcp_connect()) return -1; 

        }   
       client->reader->card_status = CARD_INSERTED; //for udp      

    memset(buf, 0, 20); 

    memset(buf + 20, 0xff, er->l+15); 

    buf[1]=er->l; 
    i2b_buf(2, er->srvid, buf + 8); 
    i2b_buf(2, er->caid, buf + 10); 
    i2b_buf(4, er->prid, buf + 12);     //  i2b_buf(2, er->pid,, buf + 16);     //  memcpy(buf+16, &er->idx , 2); 
    i2b_buf(2, er->idx, buf + 16); 
    buf[18] = 0xff; 
    buf[19] = 0xff; 
    memcpy(buf + 20, er->ecm, er->l); 
    return((camd35_send(buf) < 1) ? (-1) : 0); 
}

The entire source code if needed is here

[jimycn]

well i remembered once salem advice me , instead of memset and directly memcpy , use strncpy ( i did that advice with the code) but i tired that stncpy (on other part of the code ) and the result was unexpected , and buggy . well , in this source code there is cs_strncpy , which might be not what salem expect , therefore i quoute cs_strncpy , maybe salem could advice me to correct cs_strncpy and then i will use his advice.

Code:

/* Ordinary strncpy does not terminate the string if the source is exactly as long or longer as the specified size. This can raise security issues.
   This function is a replacement which makes sure that a \0 is always added. num should be the real size of char array (do not subtract -1). */
void cs_strncpy(char * destination, const char * source, size_t num){
    if (!destination || !source)
    return;
    uint32_t l, size = strlen(source);
    if(size > num - 1) l = num - 1;
    else l = size;
    memcpy(destination, source, l);
    destination[l] = '\0';
}

[dmh2000]

there are two possibilities for your problem: the buffer pointer is invalid or the length spec in the memcpy is too long. check both.