oss-sec mailing list archives
Re: CVE request: CUPS DoS via RSS subscriptions
From: Eygene Ryabinkin <rea-sec () codelabs ru>
Date: Thu, 20 Nov 2008 03:16:36 +0300
Josh, Mike, *, good day. Wed, Nov 19, 2008 at 03:14:43PM -0500, Josh Bressers wrote:
So from looking at cups 1.3.7 on Fedora 8, here is what I see: (gdb) bt #0 create_subscription (con=0xb88975c0, uri=0xb889ae00) at ipp.c:5858 #1 0xb7facba7 in cupsdProcessIPPRequest (con=0xb88975c0) at ipp.c:615 #2 0xb7f88bfc in cupsdReadClient (con=0xb88975c0) at client.c:2253 #3 0xb7fc0606 in cupsdDoSelect (timeout=1) at select.c:537 #4 0xb7f98710 in main (argc=1, argv=0xbfdd6194) at main.c:817 (gdb) list 5853 else if (printer) 5854 cupsdLogMessage(CUPSD_LOG_DEBUG, 5855 "Added subscription %d for printer \"%s\"", 5856 sub->id, printer->name); 5857 else 5858 cupsdLogMessage(CUPSD_LOG_DEBUG, "Added subscription %d for server", 5859 sub->id); 5860 5861 sub->interval = interval; 5862 sub->lease = lease; (gdb) print sub $1 = (cupsd_subscription_t *) 0x0 It would appear to be a NULL pointer dereference. It seems that this call a few lines above the snippet shown above: sub = cupsdAddSubscription(mask, printer, job, recipient, 0); will return NULL when the hardcoded value of 100 subscriptions is hit.
Not really hardcoded -- it is settable with the 'MaxSubscriptions' directive. I had just reproduced the bug with CUPS 1.3.9 at FreeBSD. MaxSubscriptions was set to 3 to ease the PoC. Just repeated invocations of 'lpr -m <somefile>' were crashing cups daemon reproducibly. The attached patch fixes the things for me, but perhaps it needs some more polishing. Will try to take a fresh look at this tomorrow. Mike, please, take a look at this! -- rea
Attachment:
a
Description:
Current thread:
- CVE request: CUPS DoS via RSS subscriptions Kees Cook (Nov 19)
- Re: CVE request: CUPS DoS via RSS subscriptions Steven M. Christey (Nov 20)
- Re: CVE request: CUPS DoS via RSS subscriptions Eygene Ryabinkin (Nov 20)
- Re: CVE request: CUPS DoS via RSS subscriptions Michael Sweet (Nov 21)
- Re: CVE request: cups - potential integer overflow in PNG image reader [was: CUPS DoS via RSS subscriptions] Jan Lieskovsky (Nov 25)
- Re: CVE request: cups - potential integer overflow in PNG image reader [was: CUPS DoS via RSS subscriptions] Eygene Ryabinkin (Nov 25)
- Re: CVE request: cups - potential integer overflow in PNG image reader [was: CUPS DoS via RSS subscriptions] Tomas Hoger (Nov 25)
- Message not available
- Message not available
- Re: CVE request: cups - potential integer overflow in PNG image reader [was: CUPS DoS via RSS subscriptions] Tomas Hoger (Dec 03)
- Re: CVE request: CUPS DoS via RSS subscriptions Eygene Ryabinkin (Nov 20)
- Re: CVE request: CUPS DoS via RSS subscriptions Steven M. Christey (Nov 20)
- <Possible follow-ups>
- Re: CVE request: CUPS DoS via RSS subscriptions Josh Bressers (Nov 19)
- Re: CVE request: CUPS DoS via RSS subscriptions Eygene Ryabinkin (Nov 19)
- Re: CVE request: CUPS DoS via RSS subscriptions Michael Sweet (Nov 19)
- Re: CVE request: CUPS DoS via RSS subscriptions Eygene Ryabinkin (Nov 20)
- Re: CVE request: CUPS DoS via RSS subscriptions Michael R Sweet (Nov 20)
- Re: CVE request: CUPS DoS via RSS subscriptions Eygene Ryabinkin (Nov 19)