[cups-devel] [UNKN] STR #4603: cups-lpd: access beyond end of string
Peter De Wachter
noreply at cups.org
Sun Mar 1 14:27:29 PST 2015
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
DO NOT REPLY TO THIS MESSAGE. INSTEAD, POST ANY RESPONSES TO THE LINK BELOW.
[STR New]
Consider what happens if somebody sends a single newline ("\n") to a
cups-lpd server.
213 if (smart_gets(line, sizeof(line), stdin) == NULL)
smart_gets will store a zero-length string in `line`. It will not return
NULL, so execution will proceed.
233 command = line[0];
234 dest = line + 1;
command is set to 0, and dest will point past the terminating nul byte.
240 for (list = dest; *list && !isspace(*list & 255); list ++);
241
242 while (isspace(*list & 255))
243 *list++ = '\0';
And now cups-lpd is scribbling beyond the end of the string. Not
exploitable, but still ugly.
Link: https://www.cups.org/str.php?L4603
Version: 2.0-current
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.14 (GNU/Linux)
Comment: GPGTools - https://gpgtools.org
iQIcBAEBCgAGBQJU85JRAAoJENujp6sI12IjPJQQAKkrMoCildmhSU99QSHp3KYT
awCKEmzxmGO3zuaVqDJGk4m6XIQ8rkuoWKns/63ZstXXYcPXEupLK1DN0Y7FTB4a
TWBi8BgkmW0fx41SRtTShgwuXJPYZAVTGVTBxru4ubMUvm7pVlvD9gCiUP8TPhpK
fqqWPSFznkDvQwI5HYWXIzWx+WtwN2zGw9MVvsvPN5MfqQha8yehqnIaH/MRt0Yk
eTux+W5gAgV6MIFgwyl3rzOM78morV+15YURE5soxuvNB1XKuA/LpJCu20gCA5QT
3bADvOVu3ihu3ZbPxPNcxiregGo1LjGAtWMkg422SIhuChwX6tfIHKZ14bjRI5mz
zorDZLcyLNk4iWf7+Gf94SKmiKrkZMTCmCNDjg//hFnf6tjT9cRKHJ0zjcyE99o3
OhK1M7o9XTF9hi106liwzREQI9SsDQVQbPtGCj+rZGiQxrM3D4iGBpY1S+V201Y2
AEwqL724aJSYjAXWrHvgT+MsSGXSXrwpsInlyW0nvR04fm7sa/jah2gG8a0+gyt8
rPzurEqydcWZdmCzKU70eH2nryr5f0pID8bgr5ojLWMqc5+1ZnPxI3RcSjpjKohA
CGKxmFPFk7J+zbeTsEhbXUudpknsxmTk75jlm1GADfWXamMdQ2XsmLmKDgskdptY
pD+FDddTxWULumZflbTV
=Z8jc
-----END PGP SIGNATURE-----
More information about the cups-devel
mailing list