[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Bug#961345: cups: daemon crashes with invalid free()

Hello Ronny,
I tried to have a look and I get the feeling that there
is a disagreement if the attribute "printer-alert" is of type
IPP_TAG_TEXT or IPP_TAG_STRING.

Also it is the only line I found at a glance that calls
ippAddString with a IPP_TAG_STRING.

Other attributes of type IPP_TAG_STRING seem to get added
by a call to ippAddOctetString.

But still I am not sure which of STRING or TEXT is the right one.

Below patch is an attempt to add "printer-alert" in copy_printer_attrs
by using ippAddOctetString.
The important change is in scheduler/ipp.c, the changes to backend/ipp.c
should just mark another questionable place.
I could not test this change as I can not reproduce
the crash - so it is untested.

Kind regards,
Bernhard






Invalid free() / delete / delete[] / realloc()
   at 0x48369AB: free (vg_replace_malloc.c:538)
   by 0x4A2443D: ipp_free_values (ipp.c:6324)            https://sources.debian.org/src/cups/2.3.3-2/cups/ipp.c/#L6324
   by 0x4A243A7: ippDelete (ipp.c:1755)                  https://sources.debian.org/src/cups/2.3.3-2/cups/ipp.c/#L1755
   by 0x4A243A7: ippDelete (ipp.c:1729)                  https://sources.debian.org/src/cups/2.3.3-2/cups/ipp.c/#L1729
   by 0x11CCE3: cupsdWriteClient (client.c:2563)         https://sources.debian.org/src/cups/2.3.3-2/scheduler/client.c/#L2563
   by 0x156D36: cupsdDoSelect (select.c:485)             https://sources.debian.org/src/cups/2.3.3-2/scheduler/select.c/#L485
   by 0x1142F4: main (main.c:847)                        https://sources.debian.org/src/cups/2.3.3-2/scheduler/main.c/#L847
 Address 0x68f1e04 is 4 bytes inside a block of size 23 alloc'd
   at 0x4837B65: calloc (vg_replace_malloc.c:760)
   by 0x4A34DD0: _cupsStrAlloc (string.c:107)            https://sources.debian.org/src/cups/2.3.3-2/cups/string.c/#L107
   by 0x4A234F5: ippAddString (ipp.c:957)                https://sources.debian.org/src/cups/2.3.3-2/cups/ipp.c/#L957
   by 0x13076D: copy_printer_attrs (ipp.c:4894)          https://sources.debian.org/src/cups/2.3.3-2/scheduler/ipp.c/#L4894
   by 0x13DCCD: get_printer_attrs (ipp.c:7365)           https://sources.debian.org/src/cups/2.3.3-2/scheduler/ipp.c/#L7365
   by 0x13DCCD: cupsdProcessIPPRequest (ipp.c:457)       https://sources.debian.org/src/cups/2.3.3-2/scheduler/ipp.c/#L457
   by 0x11DD24: cupsdReadClient (client.c:1812)          https://sources.debian.org/src/cups/2.3.3-2/scheduler/client.c/#L1812
   by 0x156C04: cupsdDoSelect (select.c:480)             https://sources.debian.org/src/cups/2.3.3-2/scheduler/select.c/#L480
   by 0x1142F4: main (main.c:847)                        https://sources.debian.org/src/cups/2.3.3-2/scheduler/main.c/#L847



./backend/ipp.c:3081:  if ((pa = ippFindAttribute(ipp, "printer-alert", IPP_TAG_TEXT)) != NULL)
./cups/encode.c:317:  { 1, "printer-alert",             IPP_TAG_STRING,         IPP_TAG_PRINTER },
./scheduler/ipp.c:4893:  if (printer->alert && (!ra || cupsArrayFind(ra, "printer-alert")))    ippAddString(con->response, IPP_TAG_PRINTER, IPP_TAG_STRING, "printer-alert", NULL, printer->alert);
./scheduler/job.c:5276: CUPSD_EVENT_PRINTER_STATE ???



diff --git a/backend/ipp.c b/backend/ipp.c
index a99079e..94fb701 100644
--- a/backend/ipp.c
+++ b/backend/ipp.c
@@ -3026,6 +3026,7 @@ report_attr(ipp_attribute_t *attr)        /* I - Attribute */
           valptr += strlen(valptr);
           break;
 
+      case IPP_TAG_STRING :
       default :
          /*
          * Unsupported value type...
@@ -3078,7 +3079,7 @@ report_printer_state(ipp_t *ipp)  /* I - IPP response */
   * Report alerts and messages...
   */
 
-  if ((pa = ippFindAttribute(ipp, "printer-alert", IPP_TAG_TEXT)) != NULL)
+  if ((pa = ippFindAttribute(ipp, "printer-alert", IPP_TAG_STRING)) != NULL)
     report_attr(pa);
 
   if ((pam = ippFindAttribute(ipp, "printer-alert-message",
diff --git a/scheduler/ipp.c b/scheduler/ipp.c
index 2fe3bf2..1494ecf 100644
--- a/scheduler/ipp.c
+++ b/scheduler/ipp.c
@@ -4891,7 +4891,7 @@ copy_printer_attrs(
   }
 
   if (printer->alert && (!ra || cupsArrayFind(ra, "printer-alert")))
-    ippAddString(con->response, IPP_TAG_PRINTER, IPP_TAG_STRING, "printer-alert", NULL, printer->alert);
+    ippAddOctetString(con->response, IPP_TAG_PRINTER, "printer-alert", printer->alert, (int)strlen(printer->alert));
 
   if (printer->alert_description && (!ra || cupsArrayFind(ra, "printer-alert-description")))
     ippAddString(con->response, IPP_TAG_PRINTER, IPP_TAG_TEXT, "printer-alert-description", NULL, printer->alert_description);
Reply to: