GPSD upstream has released 3.9 version:
[1] http://lists.nongnu.org/archive/html/gpsd-dev/2013-05/msg00000.html
correcting one denial of service problem [2]:
A denial of service flaw was found in the way AIS driver packet parser of
gpsd, a service daemon for mediating access to a GPS, processed certain
malformed packets. A remote attacker could provide a specially-crafted
device input that, when processed would lead to gpsd's packet parser
crash (gpsd daemon termination).
References:
[2] https://bugzilla.redhat.com/show_bug.cgi?id=958717
Candidate upstream patches [*]:
[3] http://git.savannah.gnu.org/cgit/gpsd.git/commit/?id=08edc49d8f63c75bfdfb480b083b0d960310f94f
[4] http://git.savannah.gnu.org/cgit/gpsd.git/commit/?id=dd9c3c2830cb8f8fd8491ce68c82698dc5538f50
--
[*] Candidate because upstream #38511 is private currently:
http://savannah.nongnu.org/bugs/?38511 => hard to say
if [3] is fixing this issue, or the DoS would be caused
by the malformed packet crash / sample, as listed in [4].
@Eric - Eric, could you please help us to solve this doubt? (which
of the patches is the correct one to fix the above mentioned DoS
/ security issue)
Thanks: Goes to Miroslav Lichvar for bringing this one to my attention.
diff --git a/drivers.c b/drivers.c
index 8d6ebd0..e663290 100644
--- a/drivers.c
+++ b/drivers.c
@@ -1328,6 +1328,10 @@ static bool aivdm_decode(const char *buf, size_t buflen,
(1 << (7 - ais_context->bitlen % 8));
}
ais_context->bitlen++;
+ if (ais_context->bitlen > sizeof(ais_context->bits)) {
+ gpsd_report(LOG_INF, "overlong AIVDM payload truncated.\n");
+ return false;
+ }
}
/*@ +shiftnegative @*/
}
diff --git a/NEWS b/NEWS
index 88dfb58..867b80d 100644
--- a/NEWS
+++ b/NEWS
@@ -1,5 +1,6 @@
* Repository head
- Armor the AIS driver against an implausible overrun attack. Minor
+ Armor the AIS driver against an implausible overrun attack. A fix
+ for our first malformed-packet crash since about 2007. Minor
improvements to the NMEA2000 driver. New FAQ entry on how to know
WAAS/EGNOS is working.
diff --git a/packet.c b/packet.c
index 566b9fd..9bb7723 100644
--- a/packet.c
+++ b/packet.c
@@ -485,9 +485,8 @@ static void nextstate(struct gps_packet_t *lexer, unsigned char c)
/* not strictly correct, but helps for interpreting logfiles */
lexer->state = NMEA_RECOGNIZED;
else if (c == '$'){
- /* faster recovery from missing sentence trailers */
- lexer->state = NMEA_DOLLAR;
- lexer->inbufptr += (n-1);
+ lexer->state = GROUND_STATE;
+ character_pushback(lexer);
} else if (!isprint(c))
lexer->state = GROUND_STATE;
break;
diff --git a/test/daemon/triton400.log b/test/daemon/triton400.log
index 22352ce..9c2f107 100644
--- a/test/daemon/triton400.log
+++ b/test/daemon/triton400.log
@@ -1,9 +1,10 @@
# Name: Magellan Triton 400
-# Chipset = SirfStar III
-# Firmware = GSW3.2.4
-# Date = 2013-03-31
-# Submitter = James Gerlach <jpgerlach@gmail.com>
-# Location = Wellington, FL, USA, 26d39mN 80d15mW
+# Chipset: SirfStar III
+# Firmware: GSW3.2.4
+# Date: 2013-03-31
+# Submitter: = James Gerlach <jpgerlach@gmail.com>
+# Location: Wellington, FL, USA, 26d39mN 80d15mW
+# Note: There's a malformed unterminated GGA packet on line 12
$GPGSV,3,1,11,08,75,303,44,07,66,172,51,11,51,055,36,28,39,325,36*76
$GPGSV,3,2,11,17,31,254,51,26,13,295,51,09,12,322,36,19,12,046,51*76
$GPGSV,3,3,11,20,09,138,36,13,04,183,51,32,03,113,44,,,,*44
diff --git a/www/faq.html.in b/www/faq.html.in
index 231e201..86b5714 100644
--- a/www/faq.html.in
+++ b/www/faq.html.in
@@ -300,7 +300,7 @@ still reproducible.</p>
<h3>10. If your bug core-dumps gpsd, send us a stack trace.</h3>
-<p>Though it happens seldom (we've had only 2 such reports since about
+<p>Though it happens seldom (we've had only 3 such reports since about
mid-2005), badly-formed input from a device with poor standards
compliance has been known to core-dump gpsd. If your gpsd has
core-dumped, try to use gdb or whatever your local symbolic debugger
@@ -960,7 +960,7 @@ and remove it.</p>
<p>See <a href="http://www.bitdirect.nl/?p=47">this blog post</a> for
a procedure for hunting down the bad app. In this particular case it
-was something called <code>buienradar</a>.
+was something called <code>buienradar</code></a>.
<p>On the Samsung Galaxy SIII, vendor firmware provides a "Remote
Location" service with a similar bug. You can disable this through