possible bug

Previous Topic Next Topic
 
classic Classic list List threaded Threaded
13 messages Options
Reply | Threaded
Open this post in threaded view
|

possible bug

Jon Berg
Phone Nokia 3120

config:
[phone_1]
port = /dev/ttyUSB1
model = AT
model = series40
connection = serial
use_locking = no


This is with snapshot, downloaded and compiled today.

[Sending Ack of type 14, seq: 5]
[Sending Ack of type 14, seq: 6]
Message received: 0x14 / 0x008a
01 55 00 0f 00 01 00 84 01 00 00 03 02 01 00 00 |  U
07 91 33 48 41 01 10 f4 00 00 00 00 0b 91 51 20 |   3HA         Q
15 20 87 f5 00 00 00 00 21 01 91 90 71 90 80 00 |         !   q
00 00 01 00 00 00 00 00 00 00 00 00 00 00 00 00 |
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 |
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 |
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 |
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 |
00 00 00 00 00 00 00 00 00 00                   |
Received message type 14
Message: SMS message (#3 in folder #2) status received: 1
Trying to get message #3 from folder #14
Getting SMS from location 3
Message sent: 0x14 / 0x000a
00 01 00 02 01 02 00 03 01 00                   |
[Received Ack of type 14, seq:  3]
[Sending Ack of type 14, seq: 7]
Message received: 0x14 / 0x003e
01 55 00 03 00 01 01 02 00 03 00 00 00 01 00 30 |  U             0
64 00 08 21 01 91 90 71 90 80 00 00 00 03 82 0c | d  !   q
01 08 0b 91 51 20 15 20 87 f5 82 0c 02 08 07 91 |     Q
33 48 41 01 10 f4 80 08 01 00 2d 00 00 00       | 3HA       -
Received message type 14
Trying to get message #3 in folder #2
Trying to parse message....
Type: 0
Length: 48
Type: Deliver
Location of SMS in current folder: 3
Memory type/folder id: 2
Mobile Terminated message:
    Date: 2012-10-19 09:17:09 +0200
    Remote number (recipient or sender): +XXXXXXXXXXX
    SMS center number: +XXXXXXXXXXX
Data Coding Scheme 0x08
UDH found
Concatenated messages
Concatenated messages
Concatenated messages
Concatenated messages
Concatenated messages
Concatenated messages
Concatenated messages
Concatenated messages
Concatenated messages
Concatenated messages
Concatenated messages
Concatenated messages
Concatenated messages
Concatenated messages
Concatenated messages
Concatenated messages
Concatenated messages
Concatenated messages
Concatenated messages
Concatenated messages
Concatenated messages
Concatenated messages
Unicode message

lt-smsd: malloc.c:2368: sysmalloc: Assertion `(old_top == (((mbinptr)
(((char *) &((av)->bins[((1) - 1) * 2])) - __builtin_offsetof (struct
malloc_chunk, fd)))) && old_size == 0) || ((unsigned long) (old_size)
>= (unsigned long)((((__builtin_offsetof (struct malloc_chunk,
fd_nextsize))+((2 * (sizeof(size_t))) - 1)) & ~((2 * (sizeof(size_t)))
- 1))) && ((old_top)->size & 0x1) && ((unsigned long)old_end &
pagemask) == 0)' failed.
Aborted




Regards,
Jon.

_______________________________________________
gnokii-users mailing list
[hidden email]
https://lists.nongnu.org/mailman/listinfo/gnokii-users
Reply | Threaded
Open this post in threaded view
|

Re: possible bug

Daniele Forsi-2
2012/10/20 Jon Berg:
> Phone Nokia 3120
>
> config:
> [phone_1]
> port = /dev/ttyUSB1
> model = AT
> model = series40
> connection = serial
> use_locking = no

does it work with model = AT ?

if it does I think that the problem is that we aren't actually copying
the user data part in the nk6510/series40 driver, so in
common/phones/nk6510.c after line 939 which is a call to ParseLayout()
you can try to add: gn_sms_parse(data);

--
Daniele Forsi

_______________________________________________
gnokii-users mailing list
[hidden email]
https://lists.nongnu.org/mailman/listinfo/gnokii-users
Reply | Threaded
Open this post in threaded view
|

Re: possible bug

Jon Berg
> does it work with model = AT ?

That should not be in there,
but it seems to understand that it should be series40 anyway. :-)
I have corrected my config file now.

>
> if it does I think that the problem is that we aren't actually copying
> the user data part in the nk6510/series40 driver, so in
> common/phones/nk6510.c after line 939 which is a call to ParseLayout()
> you can try to add: gn_sms_parse(data);

I tried to add that, but it did not seem to make any difference.
The output is the same.


  data->raw_sms->status = status;
  ParseLayout(message + 13, data);

                gn_sms_parse(data);  //edit

  /* Number of SMS in folder */
  data->raw_sms->number = message[8] * 256 + message[9];
  dprintf("Location of SMS in current folder: %d\n", data->raw_sms->number);

(It is a different sms message than in my first email, but it seems to
be the same issue.)
This is the output:
It looks the same with and without the modification.


Trying to parse message....
Type: 0
Length: 48
Type: Deliver
Location of SMS in current folder: 1
Memory type/folder id: 2
Mobile Terminated message:
        Date: 2012-10-20 23:18:09 +0200
        Remote number (recipient or sender): +1XXXX
        SMS center number: +XXXX
Data Coding Scheme 0x08
UDH found
Concatenated messages
Concatenated messages
Concatenated messages
Concatenated messages
Concatenated messages
Concatenated messages
Concatenated messages
Concatenated messages
Concatenated messages
Concatenated messages
Concatenated messages
Concatenated messages
Concatenated messages
Concatenated messages
Concatenated messages
Concatenated messages
Concatenated messages
Concatenated messages
Concatenated messages
Concatenated messages
Concatenated messages
Concatenated messages
Concatenated messages
Concatenated messages
Concatenated messages
Concatenated messages
Concatenated messages
Concatenated messages
Concatenated messages
Concatenated messages
Concatenated messages
Concatenated messages
Concatenated messages
Concatenated messages
Concatenated messages
Concatenated messages
Concatenated messages
Concatenated messages
Concatenated messages
Concatenated messages
Concatenated messages
Unicode message

lt-smsd: malloc.c:3668: _int_malloc: Assertion `(unsigned long)(size)
>= (unsigned long)(nb)' failed.
Aborted

_______________________________________________
gnokii-users mailing list
[hidden email]
https://lists.nongnu.org/mailman/listinfo/gnokii-users
Reply | Threaded
Open this post in threaded view
|

Re: possible bug

Pawel Kot
In reply to this post by Jon Berg
Hi,

On Sat, Oct 20, 2012 at 2:33 AM, Jon Berg <[hidden email]> wrote:
> Phone Nokia 3120
> This is with snapshot, downloaded and compiled today.

Can you please provide full debug log of reading this particular
message with gnokii --getsms?

thanks,
--
Pawel Kot

_______________________________________________
gnokii-users mailing list
[hidden email]
https://lists.nongnu.org/mailman/listinfo/gnokii-users
Reply | Threaded
Open this post in threaded view
|

Re: possible bug

Jon Berg
> Can you please provide full debug log of reading this particular
> message with gnokii --getsms?
>

It does not crash when running it with "gnokii". It only happens with the smsd.

Attached is the output when running it with gnokii. I 'x'-ed the phone numbers.


When it stops with:
lt-smsd: malloc.c:2368: sysmalloc: Assertion `(old_top == (((mbinptr)
(((char *) &((av)->bins[((1) - 1) * 2])) - __builtin_offsetof (struct
malloc_chunk, fd)))) && old_size == 0) || ((unsigned long) (old_size)
>= (unsigned long)((((__builtin_offsetof (struct malloc_chunk,
fd_nextsize))+((2 * (sizeof(size_t))) - 1)) & ~((2 * (sizeof(size_t)))
- 1))) && ((old_top)->size & 0x1) && ((unsigned long)old_end &
pagemask) == 0)' failed.

the backtrace of lt-smsd is:

Program received signal SIGABRT, Aborted.
[Switching to Thread 0xb6c9eb40 (LWP 3752)]
0xb7782424 in __kernel_vsyscall ()
(gdb) backtrace
#0  0xb7782424 in __kernel_vsyscall ()
#1  0xb74405df in raise () from /lib/libc.so.6
#2  0xb7441ec3 in abort () from /lib/libc.so.6
#3  0xb7483d79 in __malloc_assert () from /lib/libc.so.6
#4  0xb7486a4a in _int_malloc () from /lib/libc.so.6
#5  0xb7487c88 in malloc () from /lib/libc.so.6
#6  0xb761f4bb in ?? () from /lib/libglib-2.0.so.0
#7  0xb761f833 in g_malloc () from /lib/libglib-2.0.so.0
#8  0x0804ad0b in RefreshSMS (number=37) at lowlevel.c:195
#9  0x0804b245 in RealConnect (phone=phone@entry=0x8c07900) at lowlevel.c:428
#10 0x0804b5ff in Connect (phone=0x8c07900) at lowlevel.c:471
#11 0xb75bed08 in start_thread () from /lib/libpthread.so.0
#12 0xb74fa8de in clone () from /lib/libc.so.6

_______________________________________________
gnokii-users mailing list
[hidden email]
https://lists.nongnu.org/mailman/listinfo/gnokii-users

gnokii.txt (19K) Download Attachment
Reply | Threaded
Open this post in threaded view
|

Re: possible bug

Jon Berg
This was run without the gn_sms_parse(data); as you suggested in the first mail.

_______________________________________________
gnokii-users mailing list
[hidden email]
https://lists.nongnu.org/mailman/listinfo/gnokii-users
Reply | Threaded
Open this post in threaded view
|

Re: possible bug

Jon Berg
Do you need me to do anything additional to investigate this further?
I kind of need to use this phone so I would have to delete all the
messages to get it to work again.


Regards,
Jon Berg.

_______________________________________________
gnokii-users mailing list
[hidden email]
https://lists.nongnu.org/mailman/listinfo/gnokii-users
Reply | Threaded
Open this post in threaded view
|

Re: possible bug

Daniele Forsi-2
2012/10/23 Jon Berg:

> Do you need me to do anything additional to investigate this further?
> I kind of need to use this phone so I would have to delete all the
> messages to get it to work again.

before deleting your messages can you try to read one of those that
break smsd using both model=series40 and model=AT so that we can
compare them?

after that you may delete your messages because I can do all the tests
hacking NK6510_GetSMS() by replacing its contents with the following
code, so that gnokii --getsms will always read this SMS:
{
        unsigned char *buf =
"015500030001010200030000000100306400082101919071908000000003820c01080b912143658709f1820c020807913333333333f3800801002d000000";
        unsigned char message[0x003e];

        hex2bin(message, buf, strlen(buf));

        return NK6510_IncomingFolder(0x14, message, 0x003e, data, state);
}

the problem is that the 2d towards the end of the frame is taken as
the length of the following UDH data (which in fact is not there) and
a static buffer is overflowed while trying to copy it; strange is that
the code to handle that kind of frame doesn't seem to have changed
much since 2002
--
Daniele Forsi

_______________________________________________
gnokii-users mailing list
[hidden email]
https://lists.nongnu.org/mailman/listinfo/gnokii-users
Reply | Threaded
Open this post in threaded view
|

Re: possible bug

Jon Berg
> before deleting your messages can you try to read one of those that
> break smsd using both model=series40 and model=AT so that we can
> compare them?

Sorry, I was not able to get any output with AT. I have tried to get
it to work but no.
I don't think AT works with the cable I got.

_______________________________________________
gnokii-users mailing list
[hidden email]
https://lists.nongnu.org/mailman/listinfo/gnokii-users
Reply | Threaded
Open this post in threaded view
|

Re: possible bug

Jon Berg
Hi again,

Is there any way you can suggest a quick and dirty fix that I can
apply to the source code?
So that it does not crash. Its not even important that the message returned.

you said:
"strange is that
the code to handle that kind of frame doesn't seem to have changed
much since 2002"

Does that mean that you are reluctant to make any changes. And you suspect
my device is bad?


Regards,
Jon Berg.

_______________________________________________
gnokii-users mailing list
[hidden email]
https://lists.nongnu.org/mailman/listinfo/gnokii-users
Reply | Threaded
Open this post in threaded view
|

Re: possible bug

Daniele Forsi-2
2012/12/12 Jon Berg:

> Is there any way you can suggest a quick and dirty fix that I can
> apply to the source code?
> So that it does not crash. Its not even important that the message returned.

dirty fix (with the frame taken from your output it returns the
correct date, phone number, etc., but the message looks empty):

diff --git a/common/gsm-sms.c b/common/gsm-sms.c
index 77ab16d..0242798 100644
--- a/common/gsm-sms.c
+++ b/common/gsm-sms.c
@@ -564,6 +564,8 @@ static gn_error sms_udh_decode(unsigned char
*message, gn_sms_udh *udh)
                length -= (udh_length + 2);
                pos += (udh_length + 2);
                nr++;
+               if (nr == GN_SMS_UDH_MAX_NUMBER)
+                       break;
        }
        udh->number = nr;

> you said:
> "strange is that
> the code to handle that kind of frame doesn't seem to have changed
> much since 2002"
>
> Does that mean that you are reluctant to make any changes. And you suspect
> my device is bad?

no, I mean that I'm surprised that it didn't happen sooner
when I looked I didn't see anything crearly wrong but I'll look again

--
Daniele Forsi

_______________________________________________
gnokii-users mailing list
[hidden email]
https://lists.nongnu.org/mailman/listinfo/gnokii-users
Reply | Threaded
Open this post in threaded view
|

Re: possible bug

Jon Berg
Thanks a lot!

_______________________________________________
gnokii-users mailing list
[hidden email]
https://lists.nongnu.org/mailman/listinfo/gnokii-users
Reply | Threaded
Open this post in threaded view
|

Re: possible bug

Daniele Forsi-2
I looked again but I didn't find a fix for the root problem, so after
all the fix I showed wasn't bad

the problem is that we're trying to decode a Nokia packet, not a standard PDU

according to previous data found in your debug log, we know that the
user data should start with an header and the first byte of such
header (which is 0x2d, decimal 45) should be interpreted as the length
of the header, but there are only 3 bytes after it (they are 00 00 00)
/* User Data */80 08 01 00 2d 00 00 00
00 data->raw_sms->length = block[3];
01 data->raw_sms->user_data_length = block[2];
2d memcpy(data->raw_sms->user_data, block + 4, block[2]);

--
Daniele Forsi

_______________________________________________
gnokii-users mailing list
[hidden email]
https://lists.nongnu.org/mailman/listinfo/gnokii-users