[cups.bugs] [HIGH] STR #3197: IPP_TAG_DELETEATTR double-free crash
twaugh.redhat
twaugh at redhat.com
Thu May 14 08:07:28 PDT 2009
DO NOT REPLY TO THIS MESSAGE. INSTEAD, POST ANY RESPONSES TO THE LINK BELOW.
[STR New]
When using pycups to remove a printer default option from a queue using
IPP_TAG_DELETEATTR, cupsd would crash while freeing the IPP request, here:
void
_ippFreeAttr(ipp_attribute_t *attr) /* I - Attribute to free */
{
....
default :
if (!((int)attr->value_tag & IPP_TAG_COPY))
{
for (i = 0, value = attr->values;
i < attr->num_values;
i ++, value ++)
if (value->unknown.data)
==> free(value->unknown.data);
}
break;
It's because the value was allocated via _cupsStrAlloc(), here:
ipp_state_t /* O - Current state */
ippRead(http_t *http, /* I - HTTP connection */
ipp_t *ipp) /* I - IPP data */
{
....
case IPP_TAG_NOVALUE :
case IPP_TAG_NOTSETTABLE :
case IPP_TAG_DELETEATTR :
case IPP_TAG_ADMINDEFINE :
if (attr->value_tag == IPP_TAG_NOVALUE)
{
if (n == 0)
break;
attr->value_tag = IPP_TAG_TEXT;
}
case IPP_TAG_TEXT :
case IPP_TAG_NAME :
case IPP_TAG_KEYWORD :
case IPP_TAG_URI :
case IPP_TAG_URISCHEME :
case IPP_TAG_CHARSET :
case IPP_TAG_LANGUAGE :
case IPP_TAG_MIMETYPE :
....
==> value->string.text = _cupsStrAlloc((char *)buffer);
Attached is a patch that works for me.
Link: http://www.cups.org/str.php?L3197
Version: 1.4-current
-------------- next part --------------
An embedded and charset-unspecified text was scrubbed...
Name: 0001-Don-t-set-an-empty-value-for-IPP_TAG_DELETEATTR.patch
URL: <http://lists.cups.org/pipermail/cups-devel/attachments/20090514/0624825f/attachment.ksh>
More information about the cups-devel
mailing list