We read every piece of feedback, and take your input very seriously.
To see all available qualifiers, see our documentation.
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Version: 2.0-current CUPS.org User: pdewacht
Consider what happens if somebody sends a single newline ("\n") to a cups-lpd server.
213 if (smart_gets(line, sizeof(line), stdin) == NULL)
smart_gets will store a zero-length string in line. It will not return NULL, so execution will proceed.
line
233 command = line[0]; 234 dest = line + 1;
command is set to 0, and dest will point past the terminating nul byte.
240 for (list = dest; _list && !isspace(_list & 255); list ++); 241 242 while (isspace(*list & 255)) 243 *list++ = '\0';
And now cups-lpd is scribbling beyond the end of the string. Not exploitable, but still ugly.
The text was updated successfully, but these errors were encountered:
CUPS.org User: mike
Fixed in Subversion repository.
Sorry, something went wrong.
"str4603.patch":
--- scheduler/cups-lpd.c (revision 12597) +++ scheduler/cups-lpd.c (working copy) @@ -230,8 +230,10 @@
if (command == 0x02) list = NULL;
No branches or pull requests
Version: 2.0-current
CUPS.org User: pdewacht
Consider what happens if somebody sends a single newline ("\n") to a cups-lpd server.
213 if (smart_gets(line, sizeof(line), stdin) == NULL)
smart_gets will store a zero-length string in
line
. It will not return NULL, so execution will proceed.233 command = line[0];
234 dest = line + 1;
command is set to 0, and dest will point past the terminating nul byte.
240 for (list = dest; _list && !isspace(_list & 255); list ++);
241
242 while (isspace(*list & 255))
243 *list++ = '\0';
And now cups-lpd is scribbling beyond the end of the string. Not exploitable, but still ugly.
The text was updated successfully, but these errors were encountered: