Skip to content

MBIM bearer: connection failure message parsed incorrectly

We're parsing the Connection Failure response message contents to look for the "nwerror" field, but we cannot do that if the message doesn't contain payload:

ModemManager[47274]: [/dev/cdc-wdm1] Received message...
>>>>>> RAW:
>>>>>>   length = 48
>>>>>>   data   = 03:00:00:80:30:00:00:00:1A:0D:00:00:01:00:00:00:00:00:00:00:A2:89:CC:33:BC:BB:8B:4F:B6:B0:13:3E:C2:AA:E6:DF:0C:00:00:00:02:00:00:00:00:00:00:00
ModemManager[47274]: [/dev/cdc-wdm1] Received message (translated)...
>>>>>> Header:
>>>>>>   length      = 48
>>>>>>   type        = command-done (0x80000003)
>>>>>>   transaction = 3354
>>>>>> Fragment header:
>>>>>>   total   = 1
>>>>>>   current = 0
>>>>>> Contents:
>>>>>>   status error = 'Failure' (0x00000002)
>>>>>>   service      = 'basic-connect' (a289cc33-bcbb-8b4f-b6b0-133ec2aae6df)
>>>>>>   cid          = 'connect' (0x0000000c)

As seen in valgrind:

==47274== Invalid read of size 4
==47274==    at 0x4CC6FED: _mbim_message_read_guint32 (mbim-message.c:181)
==47274==    by 0x4CE37AC: mbim_message_connect_response_parse (mbim-basic-connect.c:6689)
==47274==    by 0x1FA3FE: connect_set_ready (mm-bearer-mbim.c:581)
==47274==    by 0x4EA4C73: ??? (in /usr/lib/libgio-2.0.so.0.6200.2)
==47274==    by 0x4EAA496: ??? (in /usr/lib/libgio-2.0.so.0.6200.2)
==47274==    by 0x4CCA94E: transaction_task_complete_and_free (mbim-device.c:247)
==47274==    by 0x4CCB7F2: process_message (mbim-device.c:674)
==47274==    by 0x4CCBA54: parse_response (mbim-device.c:762)
==47274==    by 0x4CCBD68: data_available (mbim-device.c:842)
==47274==    by 0x50612BE: g_main_context_dispatch (in /usr/lib/libglib-2.0.so.0.6200.2)
==47274==    by 0x5063200: ??? (in /usr/lib/libglib-2.0.so.0.6200.2)
==47274==    by 0x5064112: g_main_loop_run (in /usr/lib/libglib-2.0.so.0.6200.2)
==47274==  Address 0x5cf1bc0 is 16 bytes after a block of size 64 alloc'd
==47274==    at 0x48386AF: malloc (vg_replace_malloc.c:308)
==47274==    by 0x483ADE7: realloc (vg_replace_malloc.c:836)
==47274==    by 0x505B768: g_realloc (in /usr/lib/libglib-2.0.so.0.6200.2)
==47274==    by 0x509047B: ??? (in /usr/lib/libglib-2.0.so.0.6200.2)
==47274==    by 0x5090939: g_array_sized_new (in /usr/lib/libglib-2.0.so.0.6200.2)
==47274==    by 0x4CC83BD: mbim_message_new (mbim-message.c:1081)
==47274==    by 0x4CC842C: mbim_message_dup (mbim-message.c:1100)
==47274==    by 0x4CC924A: _mbim_message_fragment_collector_init (mbim-message.c:1459)
==47274==    by 0x4CCB6FE: process_message (mbim-device.c:650)
==47274==    by 0x4CCBA54: parse_response (mbim-device.c:762)
==47274==    by 0x4CCBD68: data_available (mbim-device.c:842)
==47274==    by 0x50612BE: g_main_context_dispatch (in /usr/lib/libglib-2.0.so.0.6200.2)

I think the best way to fix this would be to make sure in libmbim itself that the parse() method fails if we try to read the payload for a message that doesn't have one.

To upload designs, you'll need to enable LFS and have an admin enable hashed storage. More information