linux-avmb1:coredump in libcapi20-3 triggered by capidivert 0.0.2

Sun Sep 19 14:50:02 CEST 2004

My setup: current debian unstable, kernel 2.4.27

Problem:

capidivert calls capi20_register with MaxB3Connection = 0
so, the libcapi internal alloc_buffers() allocates 0 buffers.

later, capidivert calls capi_get_cmsg which calls capi20_get_message
which calls get_buffer which returns the first buffer - which was never
allocated. So get_buffer returns NULL and capi20_get_message dereferences that.

libcapi20 should return some sort of error condition instead of dereferencing NULL.

The patch below fixes capidivert for me, but I don't really understand that code.
Note that changing MaxB3Connection to 1 does not suffice.

Is capidivert 0.0.2 really the latest release? I didn't find anything newer.

# diff -u yy/capidivert/cfctrl.c  capidivert-0.0.2/capidivert/cfctrl.c

--- yy/capidivert/cfctrl.c      2000-11-10 18:15:43.000000000 +0100
+++ capidivert-0.0.2/capidivert/cfctrl.c        2004-09-19 14:34:53.000000000 +0200
@@ -236,7 +236,7 @@
                return 1;
        }

-       err = capi20_register(0, 0, 2048, &ApplId);
+       err = capi20_register(2, 0, 2048, &ApplId);
        if (err != CapiNoError) {
                fprintf(stderr, "could not register - (%#x)\n", err);
                return 1;


-- 
Wolfgang

