[Pkg-bluetooth-maintainers] Bug#592124: bluez-hcidump: Segmentation fault during communication with a phone

Sat Aug 7 18:00:41 UTC 2010

Cc: linux-bluetooth at vger.kernel.org

I downloaded the sources from http://bluez.sf.net/download/bluez-hcidump-1.42.tar.gz
and compiled with the following commands:

$ ./configure --prefix=/home/nmarci/usr/local/bluez-hcidump --enable-debug --disable-pie
$ make

Then I run hcidump with gdb:
$ su
# gdb ./src/hcidump
(gdb) run
Starting program: /home/nmarci/src/bluez-hcidump-1.42/src/hcidump
HCI sniffer - Bluetooth packet analyzer ver 1.42
device: hci0 snap_len: 1028 filter: 0xffffffff

After this point I run the previously attached MIDlet on the Nokia
6288 phone. The result is the same: "Segmentation fault":

[...]

< ACL data: handle 11 flags 0x02 dlen 9
    L2CAP(d): cid 0x0040 len 5 [psm 3]
      RFCOMM(d): UIH: cr 0 dlci 18 pf 1 ilen 0 fcs 0x8 credits 33
> ACL data: handle 11 flags 0x02 dlen 9
    L2CAP(d): cid 0x0040 len 5 [psm 3]
      RFCOMM(d): UIH: cr 1 dlci 18 pf 1 ilen 0 fcs 0xd2 credits 9
> HCI Event: Number of Completed Packets (0x13) plen 5
> ACL data: handle 11 flags 0x02 dlen 9
    L2CAP(d): cid 0x0040 len 5 [psm 3]
      RFCOMM(d): UIH: cr 1 dlci 18 pf 0 ilen 1 fcs 0xce
        OBEX: Connect cmd(c): len 5115 version 11.7 flags 208 mtu 5115
        Unknown (0xb7) = 0
        Count (0x00) = Unicode length 65533
        Count (0x00) = Unicode length 65533
        Count (0x00) = Unicode length 65533

Program received signal SIGSEGV, Segmentation fault.
0x0805b19d in get_u8 (frm=0x806f028) at parser.h:163
163             return *u8_ptr;
(gdb) bt
#0  0x0805b19d in get_u8 (frm=0x806f028) at parser.h:163
#1  0x0805b4cb in parse_headers (level=3, frm=0x806f028) at obex.c:196
#2  0x0805b9ae in obex_dump (level=3, frm=0x806f028) at obex.c:307
#3  0x08057d61 in uih_frame (level=2, frm=0xbffff4c0, head=0xbffff386) at rfcomm.c:278
#4  0x08057e93 in rfcomm_dump (level=2, frm=0xbffff4c0) at rfcomm.c:325
#5  0x08055224 in l2cap_parse (level=2, frm=0xbffff4c0) at l2cap.c:828
#6  0x0805546b in l2cap_dump (level=1, frm=0xbffff4c0) at l2cap.c:904
#7  0x080531d6 in acl_dump (level=1, frm=0xbffff4c0) at hci.c:3226
#8  0x080534f9 in hci_dump (level=0, frm=0xbffff4c0) at hci.c:3302
#9  0x080495f9 in parse (frm=0xbffff4c0) at ../parser/parser.h:248
#10 0x08049dbd in process_frames (dev=0, sock=5, fd=-1, flags=0) at hcidump.c:352
#11 0x0804b5ce in main (argc=0, argv=0xbffff668) at hcidump.c:1147
(gdb)