From 6cdf70598ab71bad6b1aff95b9be9d972e581747 Mon Sep 17 00:00:00 2001 From: Holger Hans Peter Freyther Date: Sat, 16 Mar 2013 22:05:31 +0100 Subject: wavecom: Fix unaligned memory access and silent stack corruption The parameters were uint16_t and we asked the libc to make a store of uint32_t. So 16bit were written to the wrong part of the struct and on ARM this is causing unaligned memory access. Use the %hx to make a uint16_t store and avoid the above issue. GDB #0 0x4d4d0a20 in _IO_vfscanf () from /lib/libc.so.6 (gdb) bt #0 0x4d4d0a20 in _IO_vfscanf () from /lib/libc.so.6 #1 0x4d4d5d54 in __isoc99_vsscanf () from /lib/libc.so.6 #2 0x4d4d5cd0 in __isoc99_sscanf () from /lib/libc.so.6 #3 0x400a597c in ?? () from /usr/lib/gsmd/libgsmd-vendor_wavecom.so Cannot access memory at address 0x3 Clang: vendor_wavecom.c:114:21: warning: format specifies type 'unsigned int *' but the argument has type 'u_int16_t *' (aka 'unsigned short *') [-Wformat] sscanf(tok, "%x", &aux->u.cell_info.ci); ~~ ^~~~~~~~~~~~~~~~~~~~ %hx --- src/gsmd/vendor_wavecom.c | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) (limited to 'src') diff --git a/src/gsmd/vendor_wavecom.c b/src/gsmd/vendor_wavecom.c index 18253db..b1b6929 100644 --- a/src/gsmd/vendor_wavecom.c +++ b/src/gsmd/vendor_wavecom.c @@ -75,9 +75,9 @@ static int cced_parse(const char *buf, int len, const char *param, TOK_OR_OUT(tok); aux->u.cell_info.mnc = atoi(tok); TOK_OR_OUT(tok); - sscanf(tok, "%x", &aux->u.cell_info.lac); + sscanf(tok, "%hx", &aux->u.cell_info.lac); TOK_OR_OUT(tok); - sscanf(tok, "%x", &aux->u.cell_info.ci); + sscanf(tok, "%hx", &aux->u.cell_info.ci); TOK_OR_OUT(tok); aux->u.cell_info.bsic = atoi(tok); TOK_OR_OUT(tok); @@ -109,9 +109,9 @@ static int cced_parse(const char *buf, int len, const char *param, TOK_OR_OUT(tok); aux->u.cell_info.mnc = atoi(tok); TOK_OR_OUT(tok); - sscanf(tok, "%x", &aux->u.cell_info.lac); + sscanf(tok, "%hx", &aux->u.cell_info.lac); TOK_OR_OUT(tok); - sscanf(tok, "%x", &aux->u.cell_info.ci); + sscanf(tok, "%hx", &aux->u.cell_info.ci); TOK_OR_OUT(tok); aux->u.cell_info.bsic = atoi(tok); TOK_OR_OUT(tok); -- cgit v1.2.3