sudo upscmd -u XXX -p XXX test.battery.start.XXX all type causing segmentation false

[siravijbb]

nutdrv_qx: SIGSEGV in main_instcmd() when INSTCMD sent without extra parameter

Environment

• NUT version: 2.8.1
• OS: Debian Trixie (Raspberry Pi, aarch64)
• Driver: nutdrv_qx (Megatec 0.07 protocol)
• UPS: MEC MEC0003 2000VA (VendorID: 0001, ProductID: 0000)

Description

When upscmd sends an INSTCMD with no extra parameter (e.g. test.battery.start.quick),
the driver crashes with SIGSEGV inside __vsnprintf_chk.

Steps to Reproduce

upscmd -u admin -p password nutdev1 test.battery.start.quick

Expected Behavior

Battery test executes. Driver continues running.

Actual Behavior

Driver crashes with segmentation fault.

Root Cause

In drivers/dstate.c, sock_arg() correctly sets cmdparam to NULL when no extra
parameter is present (i.e. numarg == 2), but then passes arg[2] — a garbage/uninitialized
pointer — directly to main_instcmd() instead of using cmdparam:

// dstate.c ~line 783
ret = main_instcmd(arg[1], arg[2], conn);  // BUG: arg[2] is garbage when numarg == 2

main_instcmd() in drivers/main.c then passes this garbage pointer to upsdebugx():

// main.c ~line 700
upsdebugx(2, "entering main_instcmd(%s, %s) for [%s] on %s",
        cmdname, extra, NUT_STRARG(upsname), buf);  // extra = 0x26 → SIGSEGV

vsnprintf attempts to dereference 0x26 as a string pointer → SIGSEGV.

GDB Stack Trace

Thread 1 "nutdrv_qx" received signal SIGSEGV, Segmentation fault.
#3 __vsnprintf_chk () from /lib/aarch64-linux-gnu/libc.so.6
#4 vupslog (fmt="[D2] entering main_instcmd(%s, %s) for [%s] on %s") at common.c:1283
#5 main_instcmd (cmdname="test.battery.start.quick",
extra=0x26 <error: Cannot access memory at address 0x26>,
conn=0x555569fcc0) at main.c:700
#6 sock_arg (conn=0x555569fcc0) at dstate.c:783
#7 sock_read (conn=0x555569fcc0) at dstate.c:920
#8 dstate_poll_fds () at dstate.c:1094
#9 main () at main.c:2448

Fix

drivers/dstate.c line 783 — use cmdparam (which is already correctly set to NULL
when no parameter is present) instead of raw arg[2]:

- ret = main_instcmd(arg[1], arg[2], conn);
+ ret = main_instcmd(arg[1], cmdparam, conn);

Optionally, also harden the debug log in drivers/main.c line 700:

- upsdebugx(2, "entering main_instcmd(%s, %s) for [%s] on %s",
-         cmdname, extra, NUT_STRARG(upsname), buf);
+ upsdebugx(2, "entering main_instcmd(%s, %s) for [%s] on %s",
+         cmdname, NUT_STRARG(extra), NUT_STRARG(upsname), buf);

Additional Notes

This UPS also has a related issue: the I command returns all-spaces for the firmware
field, causing nutdrv_qx Megatec protocol probe to fail with Device not supported!
even though Q1 responses are valid. Workaround: add novendor to ups.conf.
A proper fix would be adding QX_FLAG_ABSENT to the ups.firmware entry in
drivers/nutdrv_qx_megatec.c line 78.

This bug was fixed by Sonnet 4.6 ,Atleast it not crashed

[jimklimov]

Did you check with a recent version of NUT, something like that might be already solved in current code. v2.8.1 is a few years old already...

In any case, the patch may be of interest to packagers

CC @bigon

[jimklimov]

Thanks again, I've re-checked:

• the equivalent fix in dstate.c is in since PR Misc fixes #2155 (Nov 2023, released since NUT v2.8.2)
• logging in main.c since Instcmd setvar brushup #2957 (May 2025, released since NUT v2.8.4)

So kudos to you and Claude for the vigilance and proposed fixes, although just using up-to-date code could have avoided them in the first place :-D

As for QX_FLAG_ABSENT, I am not sure OTOH that solution is generally correct so it can be placed into the mapping table for everyone. Specifically, need to check if using the flag and a default value is a fallback or it is used always instead of trying to get device data. I suppose you are building NUT to get those fixes applied - can you please stage an experiment with some data point that you do receive now, what would happen if you mark that with QX_FLAG_ABSENT and some different default (for inspiration, there are a few subdriver hits with device.mfr set up like that).

[siravijbb]

Thank you! I thought I was on latest version so I will close this issue as it seem it was already fix and it was my side!

[siravijbb]

Oh no, I didnt read to the end. I will try with QX_Flag_Absent

[siravijbb]

I've tested now

netups@raspberrypi:~ $ grep -n "battery.voltage.nominal\|ups.firmware\|device.mfr" ~/nut-2.8.1/drivers/nutdrv_qx_megatec.c
66:     { "battery.voltage.nominal",    0,      NULL,   "F\r",  "",     22,     '#',    "",     11,     15,     "%.1f",       QX_FLAG_STATIC, NULL,   NULL,   NULL },
76:     { "device.mfr",                 0,      NULL,   "I\r",  "",     39,     '#',    "",     1,      15,     "%s",QX_FLAG_STATIC | QX_FLAG_TRIM,   NULL,   NULL,   NULL },
78:     { "ups.firmware",               0,      NULL,   "I\r",  "",     39,     '#',    "",     28,     37,     "%s",QX_FLAG_STATIC | QX_FLAG_TRIM | QX_FLAG_ABSENT,  NULL,   NULL,   NULL },
netups@raspberrypi:~ $ sed -n '66p' ~/nut-2.8.1/drivers/nutdrv_qx_megatec.c
        { "battery.voltage.nominal",    0,      NULL,   "F\r",  "",     22,     '#',    "",     11,     15,     "%.1f",       QX_FLAG_STATIC, NULL,   NULL,   NULL },
netups@raspberrypi:~ $ sed -i '66s/QX_FLAG_STATIC,\s*NULL,\s*NULL,\s*NULL/QX_FLAG_STATIC | QX_FLAG_ABSENT, NULL, NULL, NULL/' ~/nut-2.8.1/drivers/nutdrv_qx_megatec.c
netups@raspberrypi:~ $ sed -i '66s/QX_FLAG_STATIC,\s*NULL,\s*NULL,\s*NULL/QX_FLAG_STATIC | QX_FLAG_ABSENT, NULL, NULL, NULL/' ~/nut-2.8.1/drivers/nutdrv_qx_megatec.c
netups@raspberrypi:~ $ sed -n '60,70p' ~/nut-2.8.1/drivers/nutdrv_qx_megatec.c
         *    0123456789012345678901
         *    0         1         2
         */

        { "input.voltage.nominal",      0,      NULL,   "F\r",  "",     22,     '#',    "",     1,      5,      "%.0f",       QX_FLAG_STATIC, NULL,   NULL,   NULL },
        { "input.current.nominal",      0,      NULL,   "F\r",  "",     22,     '#',    "",     7,      9,      "%.1f",       QX_FLAG_STATIC, NULL,   NULL,   NULL },
        { "battery.voltage.nominal",    0,      NULL,   "F\r",  "",     22,     '#',    "",     11,     15,     "%.1f",       QX_FLAG_STATIC | QX_FLAG_ABSENT, NULL, NULL, NULL },
        { "input.frequency.nominal",    0,      NULL,   "F\r",  "",     22,     '#',    "",     17,     20,     "%.0f",       QX_FLAG_STATIC, NULL,   NULL,   NULL },

        /*
         * > [I\r]
netups@raspberrypi:~ $ sed -i '66s/"%.1f"/"99.9"/' ~/nut-2.8.1/drivers/nutdrv_qx_megatec.c
netups@raspberrypi:~ $ sed -n '66p' ~/nut-2.8.1/drivers/nutdrv_qx_megatec.c
        { "battery.voltage.nominal",    0,      NULL,   "F\r",  "",     22,     '#',    "",     11,     15,     "99.9",       QX_FLAG_STATIC | QX_FLAG_ABSENT, NULL, NULL, NULL },
netups@raspberrypi:~ $ cd ~/nut-2.8.1/drivers
make nutdrv_qx

sudo pkill -f "nutdrv_qx"
sleep 2
sudo -u nut /usr/lib/nut/nutdrv_qx -a nutdev1 &
sleep 4

upsc nutdev1 battery.voltage.nominal
  CC       nutdrv_qx-nutdrv_qx_megatec.o
make[1]: Entering directory '/home/netups/nut-2.8.1/common'
make[1]: 'libcommon.la' is up to date.
make[1]: Leaving directory '/home/netups/nut-2.8.1/common'
make[1]: Entering directory '/home/netups/nut-2.8.1/common'
make[1]: 'libparseconf.la' is up to date.
make[1]: Leaving directory '/home/netups/nut-2.8.1/common'
  CCLD     nutdrv_qx
[sudo] password for netups: 
[1] 1829
Network UPS Tools - Generic Q* USB/Serial driver 0.36 (2.8.1)
USB communication driver (libusb 1.0) 0.46
Using protocol: Megatec 0.07
Autodetected 1 as number of battery packs [24/27.60]
Battery runtime will not be calculated (runtimecal not set)
[1]+  Done                    sudo -u nut /usr/lib/nut/nutdrv_qx -a nutdev1
Init SSL without certificate database
24.0

I ran the experiment you suggested using battery.voltage.nominal on my MEC MEC0003 2000VA UPS (Megatec protocol).
Setup: Added QX_FLAG_ABSENT to line 66 (battery.voltage.nominal) and set the dfl field to "99.9" — a deliberately wrong value the device would never return.
Result: upsc nutdev1 battery.voltage.nominal reported 24.0 — the real value from the device — not "99.9".
Conclusion: QX_FLAG_ABSENT is a fallback only. It uses the default when the device provides no data, but does not override real device data.
This makes it appropriate for the ups.firmware case in nutdrv_qx_megatec.c line 78. The UPS sends the I command response with all-spaces in bytes 28–37. After QX_FLAG_TRIM strips whitespace, the result is an empty string — which NUT treats as absent data — causing ups_infoval_set to reject it and the protocol probe to abort with Device not supported!.
Adding QX_FLAG_ABSENT to ups.firmware allows the probe to continue when the firmware field is blank, without affecting UPS models that do return a firmware string.
The workaround currently in use is novendor in ups.conf, which skips the I command entirely. The QX_FLAG_ABSENT fix would be the cleaner upstream solution as it handles the blank firmware gracefully without skipping vendor detection completely.
(from claude write for me)

[jimklimov]

Thanks! So I suppose this bit can be added to the table :)

[jimklimov]

For posterity, do you know what brand/model the UPS really is? "MEC" is I think one of the database names for the USB chips, and maybe the lack of proper vendor USB ID is a bit revealing about how proud the maker is of its product here ;)