[cups.bugs] [HIGH] STR #3894: Infinite read loop in libcups

Matt L mattl at google.com
Thu Jul 21 19:39:34 PDT 2011 

DO NOT REPLY TO THIS MESSAGE.  INSTEAD, POST ANY RESPONSES TO THE LINK BELOW.

[STR New]

This issue has been reproduced with 1.4.7.  Samba processes built against
libcups have been going into a seemingly infinite loop trying to read from
a fd:

....
recvfrom(32, "", 2048, 0, NULL, NULL)   = 0
recvfrom(32, "", 2048, 0, NULL, NULL)   = 0
recvfrom(32, "", 2048, 0, NULL, NULL)   = 0
recvfrom(32, "", 2048, 0, NULL, NULL)   = 0
recvfrom(32, "", 2048, 0, NULL, NULL)   = 0
....

The processes (generally all at once) consume constant CPU once they enter
the loop.  A gdb backtrace leads to this:

#0  0x00007fc8a091a472 in recv () from /lib/libc.so.6
#1  0x00007fc8a1e665b0 in httpGets () from /usr/lib/libcups.so.2
#2  0x00007fc8a1e666b3 in _httpUpdate () from /usr/lib/libcups.so.2
#3  0x00007fc8a1e669e3 in httpUpdate () from /usr/lib/libcups.so.2
#4  0x00007fc8a1e7d400 in cupsGetResponse () from /usr/lib/libcups.so.2
#5  0x00007fc8a1e7d733 in cupsDoIORequest () from /usr/lib/libcups.so.2

An initial bit of digging lead me to believe this portion of
cups/request.c might be involved:

   do
   {
     status = httpUpdate(http);
   }
   while (http->state == HTTP_POST_RECV);

Looking through recent changes, I found r9688 which alters this code to
abort the loop on an HTTP_ERROR.  I cherry-picked this change, and it did
apparently fix the looping issue, but it has also lead to new problems. 
Admin operations from the web interface, lpadmin, etc, seem to drop
connections prematurely when this patch is used, leading me to believe
it's incomplete.

I see further changes have been made to this code in 1.5, and may very
well fix or work around the issue in 1.4.  Unfortunately implementing a
full fleet upgrade to 1.5 is non-trivial and will take time, but the
looping issue is hurting us in the mean time.

I'm hoping with the recent changes to this code that someone may already
be aware of the bug and could provide a working patch for the 1.4 branch. 
If not, I can gather more data if it would help to isolate it.

Link: http://www.cups.org/str.php?L3894
Version: 1.4.7

More information about the cups mailing list