| Commit message (Collapse) | Author | Age | Files | Lines |
| |
|
| |
|
|
|
|
| |
(cherry picked from commit b1ca838868c8a975f3bb616519e4b3eeecbeac1b)
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
For messages that may be composed of multiple fragments, the
_mbim_message_validate_type_header() method would validate wether the
fragment header can be read or not, because not all fragments contain
the additional type-specific header contents.
But once the message is complete with all fragments, the message
validation must also ensure that the type-specific header contets are
readable before attempting to read them, or we will end up with
invalid memory reads.
Detected via ASAN+Fuzzing:
==5169==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x6030000bc9ac at pc 0x55a9fc0d536d bp 0x7ffc556bb7b0 sp 0x7ffc556bb7a8
READ of size 4 at 0x6030000bc9ac thread T0
#0 0x55a9fc0d536c in _mbim_message_validate_complete_fragment libmbim-9999-build/../libmbim-9999/src/libmbim-glib/mbim-message.c:239:28
#1 0x55a9fc0baf40 in _mbim_message_validate_fragment libmbim-9999-build/../libmbim-9999/src/libmbim-glib/mbim-message.c:279:12
#2 0x55a9fc0ba7a1 in mbim_message_validate libmbim-9999-build/../libmbim-9999/src/libmbim-glib/mbim-message.c:292:12
#3 0x55a9fc0b9af1 in LLVMFuzzerTestOneInput libmbim-9999-build/../libmbim-9999/src/libmbim-glib/test/test-message-fuzzer.c:25:5
(cherry picked from commit 37825b4ecbffdf94eb3af935ce7e8032be63f99a)
|
| |
|
| |
|
| |
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
The task completion involves creating a duplicate of the MbimMessage,
so a duplicate of the contents of the internal `self->priv->response`
buffer.
This internal buffer may be cleared e.g. with a forced-close, which
users of the MbimDevice may decide to do upon a SIGNAL_ERROR, as the
mbim-proxy does.
So, avoid this race by making sure the task completion and the message
duplication happens before the SIGNAL_ERROR is emitted.
Thread 0(id: 3296) CRASHED [ SIGSEGV /0x00000000@0x0000000000000004 ]
0x00007ce3552f7c32 (libmbim-glib.so.4 - mbim-message.c: 1293) mbim_message_dup
0x00007ce3552fbfd9 (libmbim-glib.so.4 - mbim-device.c: 661) data_available
0x00007ce35525639a (libglib-2.0.so.0 - gmain.c: 3325) g_main_context_dispatch
0x00007ce3552566a7 (libglib-2.0.so.0 - gmain.c: 4119) g_main_context_iterate
0x00007ce355256923 (libglib-2.0.so.0 - gmain.c: 4317) g_main_loop_run
0x00005ae0f48a5524 (mbim-proxy - mbim-proxy.c: 267) main
0x00007ce35501ce04 (libc.so.6) __libc_start_main
0x00005ae0f48a52d9 (mbim-proxy) _start
0x00007ffcca5b6897
Fixes https://gitlab.freedesktop.org/mobile-broadband/ModemManager/-/issues/422
|
| |
|
| |
|
| |
|
|
|
|
| |
Fixes https://gitlab.freedesktop.org/mobile-broadband/libmbim/-/issues/33
|
| |
|
| |
|
| |
|
| |
|
|
|
|
|
|
| |
There is no compat action given with the old name, because the old
name already exists in the basic connect service. These Quectel
specific methods should have always been prefixed with --quectel.
|
| |
|
| |
|
|
|
|
|
|
|
| |
This commit provides option to test uicc terminal capability
using mbimcli option.
Co-author: Bestha, Lakshminarayana
|
|
|
|
|
|
|
| |
This commit provides option to test uicc reset
using mbimcli option.
Co-author: Bestha, Lakshminarayana
|
|
|
|
|
|
|
| |
This commit provides option to test uicc apdu
using mbimcli option.
Co-author: Bestha, Lakshminarayana
|
|
|
|
|
|
|
| |
This commit provides option to test uicc atr
using mbimcli option.
Co-author: Bestha, Lakshminarayana
|
|
|
|
|
|
|
|
| |
Fixes https://gitlab.freedesktop.org/mobile-broadband/libmbim/-/issues/31
AtrData should be byte array as per the MBIM spec
but the data type is used as string in json.
Co-author: Bestha, Lakshminarayana
|
|
|
|
|
|
|
| |
This commit provides option to test close channel
using mbimcli option.
Co-author: Bestha, Lakshminarayana
|
|
|
|
|
|
|
| |
This commit provides option to test open channel
using mbimcli option.
Co-author: Bestha, Lakshminarayana
|
|
|
|
|
|
|
|
| |
The methods are protected with g_return_() checks.
These checks may be disabled on specific builds, so it is still
expected that the user has called mbim_message_validate() before using
the methods.
|
| |
|
| |
|
| |
|
| |
|
|
|
|
|
|
|
| |
This commit provides option to test service activation
using mbimcli option.
Co-author: Bestha, Lakshminarayana
|
|
|
|
|
|
|
| |
This commit provides option to test emergency mode state
using mbimcli option.
Co-author: Bestha, Lakshminarayana
|
|
|
|
|
|
|
| |
This commit provides option to test network idle hint
using mbimcli option.
Co-author: Bestha, Lakshminarayana
|
|
|
|
|
|
|
| |
This commit provides option to test signal-state
using mbimcli option.
Co-author: Bestha, Lakshminarayana
|
|
|
|
|
|
|
| |
This commit provides option to test provisioned context
using mbimcli option.
Co-author: Bestha, Lakshminarayana
|
|
|
|
| |
Found during code review, no valgrind backtrace available.
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
==84574== Invalid free() / delete / delete[] / realloc()
==84574== at 0x484426F: free (in /usr/lib/valgrind/vgpreload_memcheck-amd64-linux.so)
==84574== by 0x4CEAB75: g_error_free (gerror.c:853)
==84574== by 0x49E5903: glib_autoptr_clear_GError (glib-autocleanups.h:52)
==84574== by 0x49E5903: glib_autoptr_cleanup_GError (glib-autocleanups.h:52)
==84574== by 0x49E5903: device_services_message_ready (mbim-device.c:1730)
==84574== by 0x4B24503: g_task_return_now (gtask.c:1230)
==84574== by 0x4B281BC: UnknownInlinedFun (gtask.c:1299)
==84574== by 0x4B281BC: g_task_return (gtask.c:1256)
==84574== by 0x49E23B2: transaction_task_complete_and_free (mbim-device.c:253)
==84574== by 0x49E2977: transaction_timed_out (mbim-device.c:335)
==84574== by 0x4CFF336: g_timeout_dispatch (gmain.c:4971)
==84574== by 0x4CFEB2A: UnknownInlinedFun (gmain.c:3417)
==84574== by 0x4CFEB2A: g_main_context_dispatch (gmain.c:4135)
==84574== by 0x4D54E78: g_main_context_iterate.constprop.0 (gmain.c:4211)
==84574== by 0x4CFE08E: g_main_loop_run (gmain.c:4411)
==84574== by 0x1422A6: main (in /usr/bin/ModemManager)
==84574== Address 0x8b0d810 is 0 bytes inside a block of size 22 free'd
==84574== at 0x484426F: free (in /usr/lib/valgrind/vgpreload_memcheck-amd64-linux.so)
==84574== by 0x4CEAB75: g_error_free (gerror.c:853)
==84574== by 0x4CEAD3A: g_clear_error (gerror.c:1052)
==84574== by 0x1D8526: mbim_port_open_ready (in /usr/bin/ModemManager)
==84574== by 0x4B24503: g_task_return_now (gtask.c:1230)
==84574== by 0x4B281BC: UnknownInlinedFun (gtask.c:1299)
==84574== by 0x4B281BC: g_task_return (gtask.c:1256)
==84574== by 0x217BB6: mbim_device_open_ready (in /usr/bin/ModemManager)
==84574== by 0x4B24503: g_task_return_now (gtask.c:1230)
==84574== by 0x4B281BC: UnknownInlinedFun (gtask.c:1299)
==84574== by 0x4B281BC: g_task_return (gtask.c:1256)
==84574== by 0x49E58DD: device_services_message_ready (mbim-device.c:1748)
==84574== by 0x4B24503: g_task_return_now (gtask.c:1230)
==84574== by 0x4B281BC: UnknownInlinedFun (gtask.c:1299)
==84574== by 0x4B281BC: g_task_return (gtask.c:1256)
==84574== Block was alloc'd at
==84574== at 0x4841888: malloc (in /usr/lib/valgrind/vgpreload_memcheck-amd64-linux.so)
==84574== by 0x4D079D9: g_malloc (gmem.c:125)
==84574== by 0x4D1CB44: g_strdup (gstrfuncs.c:361)
==84574== by 0x4CEA832: g_error_copy (gerror.c:892)
==84574== by 0x49E23A7: transaction_task_complete_and_free (mbim-device.c:253)
==84574== by 0x49E2977: transaction_timed_out (mbim-device.c:335)
==84574== by 0x4CFF336: g_timeout_dispatch (gmain.c:4971)
==84574== by 0x4CFEB2A: UnknownInlinedFun (gmain.c:3417)
==84574== by 0x4CFEB2A: g_main_context_dispatch (gmain.c:4135)
==84574== by 0x4D54E78: g_main_context_iterate.constprop.0 (gmain.c:4211)
==84574== by 0x4CFE08E: g_main_loop_run (gmain.c:4411)
==84574== by 0x1422A6: main (in /usr/bin/ModemManager)
|
| |
|
|
|
|
|
|
|
|
| |
$ sudo mbimcli -p -d /dev/wwan0mbim0 --ms-query-uicc-read-record="application-id=A0000000871002FF34FF0789312E30FF,file-path=3F002FE2"
[/dev/wwan0mbim0] UICC file record read:
Status word 1: 144
Status word 2: 0
Data: 98:43:70:77:00:10:85:84:36:F8
|
|
|
|
|
|
|
|
| |
$ sudo mbimcli -p -d /dev/wwan0mbim0 --ms-query-uicc-read-binary="application-id=A0000000871002FF34FF0789312E30FF,file-path=7FFF6F3E"
[/dev/wwan0mbim0] UICC file binary read:
Status word 1: 144
Status word 2: 0
Data: 01
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
$ sudo mbimcli -p -d /dev/wwan0mbim0 --ms-query-uicc-file-status="application-id=A0000000871002FF34FF0789312E30FF,file-path=7FFF6F3E"
[/dev/wwan0mbim0] UICC file status retrieved:
Status word 1: 144
Status word 2: 0
Accessibility: unknown
Type: unknown
Structure: transparent
Item count: 1
Item size: 1
Access conditions:
Read: pin1
Update: adm
Activate: adm
Deactivate: adm
$ sudo mbimcli -p -d /dev/wwan0mbim0 --ms-query-uicc-file-status="application-id=A0000000871002FF34FF0789312E30FF,file-path=3F002FE2"
[/dev/wwan0mbim0] UICC file status retrieved:
Status word 1: 144
Status word 2: 0
Accessibility: unknown
Type: unknown
Structure: transparent
Item count: 1
Item size: 10
Access conditions:
Read: unknown
Update: unknown
Activate: adm
Deactivate: adm
|
|
|
|
|
|
|
|
|
|
|
| |
$ sudo mbimcli -d /dev/wwan0mbim0 --ms-query-uicc-application-list -p
[/dev/wwan0mbim0] UICC applications: (1)
Application 0: (active)
Application type: usim
Application ID: A0:00:00:00:87:10:02:FF:34:FF:07:89:31:2E:30:FF
Application name: Movistar
PIN key reference count: 2
PIN key references: 01:81
|
|
|
|
|
|
| |
These values are defined by Microsoft in its MbimPinTypeEx type, which
is backwards compatible with the original MbimPinType defined in MBIM
1.0.
|
|
|
|
|
| |
Certain messages may report strings in UTF-8 already instead of using
the usual UTF-16 encoding.
|
| |
|
|
|
|
|
|
|
|
| |
Always use the built-in headers, don't try to reuse the kernel and/or
libc headers.
The safe guards in the provided files are given so that if the
external headers are in effect, the built-in ones get ignored.
|
| |
|
|
|
|
| |
Refactor net-port-manager code in preparation for wwan support.
|