[cups-devel] LPD breaks when bind fails from oversize address_len

Isaac Dunham ibid.ag at gmail.com
Sat Jul 5 20:39:45 PDT 2014


OS:	Alpine Linux (alpinelinux.org)
libc:	musl (musl-libc.org)
compiler: GCC 4.8.2
CUPS:	1.7.3

When using the lpd protocol to print to a network printer from a computer
with the software described, I found that the lpd backend went into an
infinite loop.
Checking with strace showed a loop repeating this bit with varying ports:
socket(PF_INET, SOCK_STREAM, IPPROTO_IP) = 7
bind(7, {sa_family=AF_INET, sin_port=htons(905), sin_addr=inet_addr("0.0.0.0")},
256) = -1 EINVAL (Invalid argument)
This corresponds to the port retry loop in rresvport_af(), within
backend/lpd.c

The musl maintainer pointed out that bind() was probably failing due to
address_len being 256 bytes, which is too large for a struct sockaddr_in.

Failing with errno=EINVAL is permitted for this case by POSIX 2008/2013:
 The bind() function may fail if:
 [EINVAL]
    The address_len argument is not a valid length for the address family.

I confirmed that this was the issue by applying the attached patch,
which checks the protocol family to determine the size to pass for
address_len.
With this patch, network printing over the lpd protocol worked.
That said, the patch was implemented blindly; the AF_LOCAL section
may be entirely irrelevant.


Thanks,
Isaac Dunham
-------------- next part --------------
diff --git a/backend/lpd.c b/backend/lpd.c
index 6e4ab36..bbffb82 100644
--- a/backend/lpd.c
+++ b/backend/lpd.c
@@ -1244,6 +1244,7 @@ rresvport_af(int *port,			/* IO - Port number to bind to */
 {
   http_addr_t	addr;			/* Socket address */
   int		fd;			/* Socket file descriptor */
+  socklen_t	socksz=sizeof(struct sockaddr);	/* size of struct sockaddr* */
 
 
  /*
@@ -1260,6 +1261,23 @@ rresvport_af(int *port,			/* IO - Port number to bind to */
   memset(&addr, 0, sizeof(addr));
   addr.addr.sa_family = family;
 
+  switch(family) {
+    case AF_INET:
+      socksz = sizeof(struct sockaddr_in);
+      break;
+#ifdef AF_INET6
+    case AF_INET6:
+      socksz = sizeof(struct sockaddr_in6);
+      break;
+#endif
+#ifdef AF_LOCAL
+    case AF_LOCAL:
+      socksz = sizeof(struct sockaddr_un);
+#endif
+    default:
+      break;
+  }
+
  /*
   * Try to bind the socket to a reserved port...
   */
@@ -1276,7 +1294,7 @@ rresvport_af(int *port,			/* IO - Port number to bind to */
     * Try binding the port to the socket; return if all is OK...
     */
 
-    if (!bind(fd, (struct sockaddr *)&addr, sizeof(addr)))
+    if (!bind(fd, (struct sockaddr *)&addr, socksz))
       return (fd);
 
    /*


More information about the cups mailing list