[cups.bugs] [HIGH] STR #3197: IPP_TAG_DELETEATTR double-free crash

twaugh.redhat twaugh at redhat.com
Thu May 14 08:07:28 PDT 2009


DO NOT REPLY TO THIS MESSAGE.  INSTEAD, POST ANY RESPONSES TO THE LINK BELOW.

[STR New]

When using pycups to remove a printer default option from a queue using
IPP_TAG_DELETEATTR, cupsd would crash while freeing the IPP request, here:

void
_ippFreeAttr(ipp_attribute_t *attr)	/* I - Attribute to free */
{
....
    default :
        if (!((int)attr->value_tag & IPP_TAG_COPY))
	{
	  for (i = 0, value = attr->values;
	       i < attr->num_values;
	       i ++, value ++)
            if (value->unknown.data)
==>	      free(value->unknown.data);
        }
	break;

It's because the value was allocated via _cupsStrAlloc(), here:

ipp_state_t				/* O - Current state */
ippRead(http_t *http,			/* I - HTTP connection */
        ipp_t  *ipp)			/* I - IPP data */
{
....
            case IPP_TAG_NOVALUE :
	    case IPP_TAG_NOTSETTABLE :
	    case IPP_TAG_DELETEATTR :
	    case IPP_TAG_ADMINDEFINE :
	        if (attr->value_tag == IPP_TAG_NOVALUE)
		{
		  if (n == 0)
		    break;

		  attr->value_tag = IPP_TAG_TEXT;
		}

	    case IPP_TAG_TEXT :
	    case IPP_TAG_NAME :
	    case IPP_TAG_KEYWORD :
	    case IPP_TAG_URI :
	    case IPP_TAG_URISCHEME :
	    case IPP_TAG_CHARSET :
	    case IPP_TAG_LANGUAGE :
	    case IPP_TAG_MIMETYPE :
....
==>		value->string.text = _cupsStrAlloc((char *)buffer);

Attached is a patch that works for me.

Link: http://www.cups.org/str.php?L3197
Version: 1.4-current
-------------- next part --------------
An embedded and charset-unspecified text was scrubbed...
Name: 0001-Don-t-set-an-empty-value-for-IPP_TAG_DELETEATTR.patch
URL: <http://lists.cups.org/pipermail/cups-devel/attachments/20090514/0624825f/attachment.ksh>


More information about the cups-devel mailing list