Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Chunking read bug causes DoS #143

Closed
michaelrsweet opened this issue Jun 7, 2003 · 6 comments
Closed

Chunking read bug causes DoS #143

michaelrsweet opened this issue Jun 7, 2003 · 6 comments
Labels
priority-high
Milestone
Stable

Comments

@michaelrsweet
Copy link
Collaborator

Version: 1.1.19
CUPS.org User: kenneth.choi

  We have just installed the ESP PrintPro 4.4 on one of our HP unix machine running HP-UX 11i.

  We use a testing program from ShineSoft called "ippprint.exe" and the tool can obtained from http://www.shinesoft.com/ipp/ipptools.html

  We have encountered a problem, when we write a simple batch program which send jobs to a dummy print queue continuously (which have stopped but accepting jobs) in the ESP PrintPro 4.4. When we try to break (Ctrl-C) the DOS batch program (you may need to try several times to see the problem), it may hang up the CUPSD and no response to any other clients. The problem only occurred when we using chunking mode.

  The following is the sample batch file.
  -------
  :Loop
  ippprint -v -c -p http://Servername:631/printers/dummy -d application/octet-stream test.txt
  goto Loop
  ------------------------------------
  (The -c option above is using chunking mode, the problem seems to be occurred only using chunking.)
@michaelrsweet
Copy link
Collaborator Author

CUPS.org User: kenneth.choi

I got the debugger trace as follow:

Trial 1

Program received signal SIGINT, Interrupt.
0x77faaef0 in _select_sys () from /usr/lib/libc.2
(gdb) where
#0 0x77faaef0 in _select_sys () from /usr/lib/libc.2
#1 0x77fb63b8 in select () from /usr/lib/libc.2
#2 0x77c9b4a0 in httpWait () from /usr/lib/libcups.sl.2
#3 0x77ca017c in ipp_read_http () from /usr/lib/libcups.sl.2
#4 0x77c9e760 in ippReadIO () from /usr/lib/libcups.sl.2
#5 0x77c9e5f8 in ippRead () from /usr/lib/libcups.sl.2
#6 0x20034 in ReadClient ()
#7 0x2ca38 in main ()

Trial 2

Program received signal SIGINT, Interrupt.
0x77fab710 in time () from /usr/lib/libc.2
(gdb) where
#0 0x77fab710 in time () from /usr/lib/libc.2
#1 0x77c9afb8 in httpRead () from /usr/lib/libcups.sl.2
#2 0x77ca0194 in ipp_read_http () from /usr/lib/libcups.sl.2
#3 0x77c9e760 in ippReadIO () from /usr/lib/libcups.sl.2
#4 0x77c9e5f8 in ippRead () from /usr/lib/libcups.sl.2
#5 0x20034 in ReadClient ()

#6 0x2ca38 in main ()

It seems that the cupsd is looped in the ipp_read_http function since I try to step through the program by using "step" command.

Also, I tried to capture the packets from Ethereal and find that only when I break the batch program just after sending the http POST request but the IPP request has not been send. The problem will occur.

I think the problem is caused by the ipp_read_http for the following reasons:

1.) In cups-1.1.18, it just has "if (http->used > 0)" in ipp_Read but in 1.1.19, it has second condition "http -> data_encoding == HTTP_ENCODE_LENGTH)" which should be met. Because we are using chunking, it will not enter into this if-condition.

2.) Thus, it will run the next else-condition by checking the httpWait. Since the connection is already opened and I can see a "unknown socket type" file opened through HP-UX glance. So, it will not break the for-loop

3.) For the last else-if, the httpRead may return 0 only but not negative, since the condition is < 0, so it will not break the for-loop also.

Since the "bytes" is always zero in that case and it will loop forever in the for-loop. That causes the problem. And it explains why that problem only occurred in chunking because it always by-pass the first if-condition.

@michaelrsweet
Copy link
Collaborator Author

CUPS.org User: mike

Opened CUPS STR to mirror bug filed against ESP Print Pro. Fix will be in 1.1.20 and 4.4.1...

@michaelrsweet
Copy link
Collaborator Author

CUPS.org User: kenneth.choi

How about the schedule for the release of cups-1.1.20 and PrintPro 4.4.1? Thanks

@michaelrsweet
Copy link
Collaborator Author

CUPS.org User: mike

1.1.20 and 4.4.1 will probably be released at the end of July.

@michaelrsweet
Copy link
Collaborator Author

CUPS.org User: mike

Fixed in CVS; see attached patch if you want to implement the fix against CUPS 1.1.19.

@michaelrsweet
Copy link
Collaborator Author

"str143.patch":

Index: ipp.c

RCS file: /development/cvs/cups/cups/ipp.c,v
retrieving revision 1.91
diff -u -r1.91 ipp.c
--- ipp.c 2003/05/09 16:05:28 1.91
+++ ipp.c 2003/06/14 17:05:30
@@ -2500,7 +2500,7 @@
bytes = -1;
break;
}

  •  else if ((bytes = httpRead(http, (char *)buffer, length - tbytes)) < 0)

  •  else if ((bytes = httpRead(http, (char *)buffer, length - tbytes)) <= 0)
 break;
    }
    }

@michaelrsweet michaelrsweet added this to the Stable milestone Mar 17, 2016
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
priority-high
Projects
None yet
Milestone
Stable
Development

No branches or pull requests
1 participant
@michaelrsweet