[cups.bugs] [MOD] STR #4262: segmentation fault in test/ipptool.c:2557

Ulrich.Windl.rz.uni-regensburg Ulrich.Windl at rz.uni-regensburg.de
Mon Jan 21 03:37:28 PST 2013


DO NOT REPLY TO THIS MESSAGE.  INSTEAD, POST ANY RESPONSES TO THE LINK BELOW.

[STR New]

This patch fixes a segmentation fault in ipptool.c:2557 (cups 1.6.1) when
performing the test 4.2-cups-printer-ops.test.

In that case the IPP printer returned (you can guess the response from the
debug output, "AGT" = Attribute Group Tag):
[0]main_loop:N: accepted connection from 172.20.16.35:52846
[0]main_loop:D: Method: POST
 [1]IPP_decode:N: version 0101 op_id 4003 request-id 57953 data size 9293
   [3]AGT:1:D: value tag:71
   [3]AGT:1:D: name:attributes-charset
   [3]AGT:1:D: val:utf-8
   [3]AGT:1:D: value tag:72
   [3]AGT:1:D: name:attributes-natural-language
   [3]AGT:1:D: val:en
   [3]AGT:1:D: value tag:69
   [3]AGT:1:D: name:printer-uri
   [3]AGT:1:D: val:ipp://host.site:1631/printers/Test1
  [2]parse_attribute_group:D: group ends with tag:3
  [2]parse_attribute_group:D: group ends with tag:3
 [1]IPP_decode:D: end of attributes
 [1]IPP_decode:D: 9150 bytes of data
 [1]IPP_decode:D: end of data
[0]main_loop:E: operation '16387' not implemented
  [2]IPP_encode:N: version 0101 status 0501 request-id 57953
   [3]build_attribute_group:D: AGT:3
  [2]IPP_encode:D: end of data
[0]main_loop:W: failed to get request: Client closed

The original code causes a null-pointer dereference when setting up a
variable that will never be used in the loop. The fix just uses some ugly
number for group (which shouldn't matter as the loop isn't executed).


diff --git a/test/ipptool.c b/test/ipptool.c
index dac5541..619edee 100644
--- a/test/ipptool.c
+++ b/test/ipptool.c
@@ -2554,7 +2554,8 @@ do_tests(_cups_vars_t *vars,		/* I - Variables */
 
 	a = cupsArrayNew((cups_array_func_t)strcmp, NULL);
 
-	for (attrptr = response->attrs, group = attrptr->group_tag;
+	for (attrptr = response->attrs, group = (attrptr != NULL) ?
+		     attrptr->group_tag : 99999;
 	     attrptr;
 	     attrptr = attrptr->next)
 	{

Link: https://www.cups.org/str.php?L4262
Version: 1.6.1





More information about the cups-devel mailing list