Summary
In tools/ipptool.c:7654-7656, the with_value() function copies a literal string into withdata[1023] via memcpy with no length check. The hex-encoded path (line 7616) correctly validates length, but the literal string path does not. A .test file with a WITH-VALUE longer than 1023 bytes overflows the stack buffer by up to ~1024 bytes.
Details
// tools/ipptool.c:7608
unsigned char withdata[1023];
// Line 7654-7656: literal string path -- NO bounds check
withlen = strlen(value);
memcpy(withdata, value, (size_t)withlen); // OVERFLOW if value > 1023
// Compare with hex path at line 7616: HAS bounds check
if (withlen > (int)(2 * (sizeof(withdata) + 1)))
// ... error handlingReproducer
Create a .test file:
{
OPERATION Get-Printer-Attributes
GROUP operation-attributes-tag
ATTR charset attributes-charset utf-8
ATTR naturalLanguage attributes-natural-language en
ATTR uri printer-uri $uri
EXPECT job-password-encryption OF-TYPE octetString
WITH-VALUE "AAAA...2048 A's...AAAA"
}
gcc -g -fsanitize=address -I. -L./cups -Wl,-rpath,./cups \
-o ipptool_asan tools/ipptool.c -lcups
./ipptool_asan -v http://localhost:631/ /tmp/overflow.testASan output:
ERROR: AddressSanitizer: stack-buffer-overflow
WRITE of size 2047 overflowing 1023-byte withdata variable
Suggested Fix
withlen = strlen(value);
+ if (withlen > (int)sizeof(withdata))
+ {
+ print_fatal_error(data, "WITH-VALUE too long for octetString comparison.");
+ return (false);
+ }
memcpy(withdata, value, (size_t)withlen);
Summary
In
tools/ipptool.c:7654-7656, thewith_value()function copies a literal string intowithdata[1023]viamemcpywith no length check. The hex-encoded path (line 7616) correctly validates length, but the literal string path does not. A.testfile with aWITH-VALUElonger than 1023 bytes overflows the stack buffer by up to ~1024 bytes.Details
Reproducer
Create a
.testfile:gcc -g -fsanitize=address -I. -L./cups -Wl,-rpath,./cups \ -o ipptool_asan tools/ipptool.c -lcups ./ipptool_asan -v http://localhost:631/ /tmp/overflow.testASan output:
Suggested Fix