[cups.bugs] [MOD] STR #3200: A misbehaving client can *crush* the scheduler
Opher Shachar
ophers at ladpc.co.il
Fri May 15 08:35:34 PDT 2009
DO NOT REPLY TO THIS MESSAGE. INSTEAD, POST ANY RESPONSES TO THE LINK BELOW.
[STR New]
Hello,
First, I didn't know if this qualifies as a security issue so I didn't
mark it. Please feel free to mark it as such if it is.
A client (attached) running on:
Windows XP SP3 (up to date with security fixes)
Sun JDK 1.6.0_13
can *crush* or *hang* the CUPS server running on:
Fedora 10 i386 / cups 1:1.3.10-5.fc10
CentOS 5.2 x86_64 / cups 1.3.7-8
The Client is doing a Get-Jobs (like `lpq -a').
The server has 300 active jobs.
The client is broken: it thinks it got an incomplete response, exits
abruptly causing the JVM/OS to send a TCP RST.
A .cap file from Wireshark (v1.0.7) running on the client is attached.
At that point CUPS scheduler either:
1. crashes
2. hangs
(rarely it takes a second try to kill the server)
the error_log shows this:
D [15/May/2009:18:06:49 +0300] cupsdAcceptClient: skipping getpeercon()
D [15/May/2009:18:06:49 +0300] cupsdAcceptClient: 1 from 10.236.33.36:631
(IPv4)
D [15/May/2009:18:06:49 +0300] cupsdReadClient: 1 POST / HTTP/1.0
D [15/May/2009:18:06:49 +0300] cupsdAuthorize: No authentication data
provided.
D [15/May/2009:18:06:49 +0300] cupsdIsAuthorized: username=""
D [15/May/2009:18:06:49 +0300] Get-Jobs ipp://localhost/
D [15/May/2009:18:06:49 +0300] cupsdProcessIPPRequest: 1 status_code=0
(successful-ok)
D [15/May/2009:18:06:49 +0300] cupsdCloseClient: 1
D [15/May/2009:18:06:49 +0300] cupsdCloseClient: 7803248
To reproduce:
1. produce 300 active jobs on the CUPS server.
2. extract client.zip to any directory
3. execute: java -cp "cups-java-client-1.3.jar";. TestCupsGetJobs
10.236.33.136
(replace 10.236.33.136 with your server address)
Note: I tried running the Client on a Linux machine but couldn't crash the
CUPS server. I'm not sure but it seems that the JVM/Linux sent a TCP FIN
(and not a TCP RST as on the MS-Windows machine).
Regards,
Opher.
Link: http://www.cups.org/str.php?L3200
Version: 1.3.10
Attachment: http://www.cups.org/strfiles/3200/Client.zip
More information about the cups-devel
mailing list