2009-08-18 12:56:33

by Iain Hibbert

[permalink] [raw]
Subject: hcidump 1.42 crash on malformed OBEX packet

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Content-ID: <[email protected]>

Hi,

I had a report of hcidump (v1.42) crashing when parsing a file and have
verified that it does so here, the dump file with personal information
edited out is attached.

The situation is that a (Siemens S68 I think it was) phone when sending a
vCard uses an OBEX packet containing the Put opcode but it does not send
any length information, eg from the raw dump:

> 02 2E 20 0A 00 ACL handle 002e (start, no frag) len 000a
06 00 41 00 L2CAP len 0006 cid 0041
1B FF 03 01 RFCOMM dlci 6 type UIH pf 1 len 1 credit 1
02 OBEX opcode 02 = Put
93 RFCOMM fcs 93

and hcidump crashes because it reads past the end of the packet and the
arithmetic in obex_dump() routine eventually causes an improper memory
access after some looping.

The Object PUSH apparently does even work but perhaps that is because the
server assumed a length of zero. (I didn't look into that - server was
obexapp using openobex to handle the OBEX details and running on NetBSD)

The simplest fix is below but there seem to be other places where the
frame length is not checked before reading data that could be invalid
(perhaps they would not cause loops though).

With this fix, the packet not understood is just not displayed, is that
the correct thing to do? The resulting dump seems to have several of
those but I don't know the OBEX protocol..

btw while I'm here, is there a reason why the hcidump program is not
included with the bluez distributions?

regards,
iain

- --- parser/obex.c.orig 2007-02-18 03:39:02.000000000 +0000
+++ parser/obex.c
@@ -236,7 +236,7 @@ void obex_dump(int level, struct frame *

frm = add_frame(frm);

- - while (frm->len > 0) {
+ while (frm->len >= 3) {
opcode = get_u8(frm);
length = get_u16(frm);
status = opcode & 0x7f;
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (NetBSD)

iQEcBAEBAgAGBQJKiqUBAAoJEPFJxoMWDXVDsPoIAL8NrtSHb2bEaKUH/t2KjSVq
qMHf0hPnus1BKlG/yKMkiX5kXfp2QJNJmYHdINXVqMiAXAQS9pq2X5LfDQxUEwfX
L1GWD1XrvOkLVEu5CX/uQRVXSrxMlv0ZNWIRc1voZOHLPp/d2nORXj4fvXA+/TuS
2G7EzutgZN4uqsdexT0eavAaetjUSZtlLhxa7/X/AFL+etflRgB/BM7G9LIhknxB
KShY3FoFPm2b4AeBfGnB9Z4Gn7og1L6b8gWoVyZlpSm2+yrR7RsD9p2X2ibjjoCj
hwsd1UlWZwNDDacobSUra27whjv9iezEt6/zeuhl4BJFmKlZtZVxdyWsNUd4Oc0=
=rRb8
-----END PGP SIGNATURE-----


Attachments:
dump (2.47 kB)
dump of vCard push will crash hcidump