Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

cups-lpd: access beyond end of string #4603

Closed
michaelrsweet opened this issue Mar 1, 2015 · 2 comments
Closed

cups-lpd: access beyond end of string #4603

michaelrsweet opened this issue Mar 1, 2015 · 2 comments
Milestone

Comments

@michaelrsweet
Copy link
Collaborator

Version: 2.0-current
CUPS.org User: pdewacht

Consider what happens if somebody sends a single newline ("\n") to a cups-lpd server.

213 if (smart_gets(line, sizeof(line), stdin) == NULL)

smart_gets will store a zero-length string in line. It will not return NULL, so execution will proceed.

233 command = line[0];
234 dest = line + 1;

command is set to 0, and dest will point past the terminating nul byte.

240 for (list = dest; _list && !isspace(_list & 255); list ++);
241
242 while (isspace(*list & 255))
243 *list++ = '\0';

And now cups-lpd is scribbling beyond the end of the string. Not exploitable, but still ugly.

@michaelrsweet
Copy link
Collaborator Author

CUPS.org User: mike

Fixed in Subversion repository.

@michaelrsweet
Copy link
Collaborator Author

"str4603.patch":

Index: scheduler/cups-lpd.c

--- scheduler/cups-lpd.c (revision 12597)
+++ scheduler/cups-lpd.c (working copy)
@@ -230,8 +230,10 @@

  • resource list, and/or user name.
    */
  • command = line[0];
  • dest = line + 1;
  • if ((command = line[0]) == '\0')
  • dest = line;
  • else
  • dest = line + 1;

if (command == 0x02)
list = NULL;

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Projects
None yet
Development

No branches or pull requests

1 participant