Re: CVE request: CUPS DoS via RSS subscriptions

[Eygene Ryabinkin <rea-sec () codelabs ru>]

Josh, Mike, *, good day.

Wed, Nov 19, 2008 at 03:14:43PM -0500, Josh Bressers wrote:
> So from looking at cups 1.3.7 on Fedora 8, here is what I see:
>
> (gdb) bt
> #0  create_subscription (con=0xb88975c0, uri=0xb889ae00) at ipp.c:5858
> #1  0xb7facba7 in cupsdProcessIPPRequest (con=0xb88975c0) at ipp.c:615
> #2  0xb7f88bfc in cupsdReadClient (con=0xb88975c0) at client.c:2253
> #3  0xb7fc0606 in cupsdDoSelect (timeout=1) at select.c:537
> #4  0xb7f98710 in main (argc=1, argv=0xbfdd6194) at main.c:817
> (gdb) list
> 5853        else if (printer)
> 5854          cupsdLogMessage(CUPSD_LOG_DEBUG,
> 5855                          "Added subscription %d for printer \"%s\"",
> 5856                          sub->id, printer->name);
> 5857        else
> 5858          cupsdLogMessage(CUPSD_LOG_DEBUG, "Added subscription %d for server",
> 5859                          sub->id);
> 5860
> 5861        sub->interval = interval;
> 5862        sub->lease    = lease;
> (gdb) print sub
> $1 = (cupsd_subscription_t *) 0x0
>
> It would appear to be a NULL pointer dereference.  It seems that this call a
> few lines above the snippet shown above:
>  sub = cupsdAddSubscription(mask, printer, job, recipient, 0);
>
> will return NULL when the hardcoded value of 100 subscriptions is hit.

Not really hardcoded -- it is settable with the 'MaxSubscriptions'
directive.  I had just reproduced the bug with CUPS 1.3.9 at FreeBSD.
MaxSubscriptions was set to 3 to ease the PoC.  Just repeated
invocations of 'lpr -m <somefile>' were crashing cups daemon
reproducibly.

The attached patch fixes the things for me, but perhaps it needs
some more polishing.  Will try to take a fresh look at this tomorrow.

Mike, please, take a look at this!
-- 
rea

Attachment: a
Description: