new release?

John (J5) Palmieri johnp at redhat.com
Fri Apr 22 13:33:22 PDT 2005 

On Fri, 2005-04-22 at 00:47 -0400, David Zeuthen wrote:
> On Wed, 2005-04-20 at 12:17 -0400, David Zeuthen wrote:
> > On Wed, 2005-04-20 at 12:16 -0400, David Zeuthen wrote:
> > > Hey,
> > > 
> > > Can we go ahead and release 0.34? I need the fixes put in post 0.33 to
> > > just get hal running.
> > 
> > Bah, I meant 0.33 respectively 0.32.
> > 
> 
> Hi, so Havoc wants 'make check' to pass before we do a release.
> 
> So, 'make check' does pass with gcc32 (gcc version 3.2.3 20030502 (Red
> Hat Linux 3.2.3-47.fc4)), the only non-gcc4 compiler I have around, but
> I can't get it to work with gcc4 (gcc version 4.0.0 20050412 (Red Hat
> 4.0.0-0.42)). I've confirmed this for both 0.30, 0.31, 0.32 and CVS
> HEAD.
> 
> It's late, so maybe I'm missing something, but this is really creepy: In
> dbus-marshal-recursive-util.c we have this function
> 
>         static dbus_bool_t
>         string_write_value (TestTypeNode   *node,
>                             DataBlock      *block,
>                             DBusTypeWriter *writer,
>                             int             seed)
>         {
>           char buf[MAX_SAMPLE_STRING_LEN];
>           const char *v_string = buf;
>         
>           string_from_seed (buf, node->klass->subclass_detail,
>                             seed);
>         
>           _dbus_warn ("buf='%s' 0x%08x\n", buf, (void *) buf);
>           _dbus_warn ("v_string='%s' 0x%08x\n", v_string, (void *) v_string);
>         
>           return _dbus_type_writer_write_basic (writer,
>                                                 node->klass->typecode,
>                                                 &v_string);
>         }

Ok, so this was not the problem but it was faulty code.
string_from_seed does overwrite buf in cases where the initial size of
the string is 8 and the seed is 1.  In that case 2 is added to the
length making it 10 which is the size of the buffer.  The buffer is
filled in from position 0 to 9 but a null character is added at position
10 which causes the overflow.  The real problem is happening in
_dbus_validate_signature_with_reason in dbus-marshal-validate.c where
for some reason the signature being passed in is a whitespace.  Will
debug further.

-- 
John (J5) Palmieri
Associate Software Engineer
Desktop Group
Red Hat, Inc.
Blog: http://martianrock.com

More information about the dbus mailing list