Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Missing IPP value length range checks #2561

Closed
michaelrsweet opened this issue Oct 16, 2007 · 8 comments

Comments

Projects
None yet
1 participant
@michaelrsweet
Copy link
Collaborator

commented Oct 16, 2007

Version: 1.3-current
CUPS.org User: mike

Hello,

Secunia Research has discovered a vulnerability in CUPS, which can be
exploited by malicious people to compromise a vulnerable system.

The vulnerability is caused due to a boundary error within the
"ippReadIO()" function in cups/ipp.c when processing IPP (Internet
Printing Protocol) tags. This can be exploited to overwrite one byte on
the stack with a zero by sending an IPP request containing specially
crafted "textWithLanguage" or "nameWithLanguage" tags.

Successful exploitation allows execution of arbitrary code.

The vulnerability is confirmed in version 1.3.3. Other versions may also
be affected.

Vulnerability Details:

The vulnerability is caused by the missing check for the text-length
field at line 1430 in cups/ipp.c from cups-1.3.3.

Exploitation:

Secunia Research has created a PoC for the vulnerability, which is
available upon request.

The vulnerability can also be reproduced by sending a specially crafted
IPP request specifying an IPP tag equal to 0x35 (IPP_TAG_TEXTLANG),
containing an overly large text-length value (e.g. 33035).

Closing comments:

We have assigned this vulnerability Secunia advisory SA27233 and CVE
identifier CVE-2007-4351.

A preliminary disclosure date of 2007-10-31 10am CET has been set, where
the details will be publicly disclosed. However, we are naturally
prepared to push the disclosure date if you need more time to address
the vulnerability.

Please acknowledge receiving this e-mail and let us know when you expect
to fix the vulnerability.

Credits should go to:
Alin Rad Pop, Secunia Research.

Also, if you have any questions, then please don't hesitate to contact
me.

@michaelrsweet

This comment has been minimized.

Copy link
Collaborator Author

commented Oct 16, 2007

CUPS.org User: mike

This bug affects all versions of CUPS.

Patches are attached for CUPS 1.1.23, CUPS 1.2.12, and 1.3.3.

@michaelrsweet

This comment has been minimized.

Copy link
Collaborator Author

commented Oct 31, 2007

CUPS.org User: mike

Fixed in Subversion repository.

@michaelrsweet

This comment has been minimized.

Copy link
Collaborator Author

commented Oct 31, 2007

"str2561-cups13.patch":

Index: ipp.c

--- ipp.c (revision 7023)
+++ ipp.c (working copy)
@@ -1306,6 +1306,12 @@
{
case IPP_TAG_INTEGER :
case IPP_TAG_ENUM :

  •   if (n != 4)
    
  •   {
    
  •     DEBUG_printf(("ippReadIO: bad value length %d!\n", n));
    
  •     return (IPP_ERROR);
    
  •   }
    
    •   if ((*cb)(src, buffer, 4) < 4)
      
      {
      DEBUG_puts("ippReadIO: Unable to read integer value!");
      @@ -1318,6 +1324,12 @@
      value->integer = n;
      break;
      case IPP_TAG_BOOLEAN :
  •   if (n != 1)
    
  •   {
    
  •     DEBUG_printf(("ippReadIO: bad value length %d!\n", n));
    
  •     return (IPP_ERROR);
    
  •   }
    
    •   if ((*cb)(src, buffer, 1) < 1)
      
      {
      DEBUG_puts("ippReadIO: Unable to read boolean value!");
      @@ -1335,6 +1347,12 @@
      case IPP_TAG_CHARSET :
      case IPP_TAG_LANGUAGE :
      case IPP_TAG_MIMETYPE :
  •   if (n >= sizeof(buffer))
    
  •   {
    
  •     DEBUG_printf(("ippReadIO: bad value length %d!\n", n));
    
  •     return (IPP_ERROR);
    
  •   }
    
    • if ((*cb)(src, buffer, n) < n)
      {
      DEBUG_puts("ippReadIO: unable to read name!");
      @@ -1347,6 +1365,12 @@
      value->string.text));
      break;
      case IPP_TAG_DATE :
  •   if (n != 11)
    
  •   {
    
  •     DEBUG_printf(("ippReadIO: bad value length %d!\n", n));
    
  •     return (IPP_ERROR);
    
  •   }
    
    •   if ((*cb)(src, value->date, 11) < 11)
      
      {
      DEBUG_puts("ippReadIO: Unable to date integer value!");
      @@ -1354,6 +1378,12 @@
      }
      break;
      case IPP_TAG_RESOLUTION :
  •   if (n != 9)
    
  •   {
    
  •     DEBUG_printf(("ippReadIO: bad value length %d!\n", n));
    
  •     return (IPP_ERROR);
    
  •   }
    
    •   if ((*cb)(src, buffer, 9) < 9)
      
      {
      DEBUG_puts("ippReadIO: Unable to read resolution value!");
      @@ -1370,6 +1400,12 @@
      (ipp_res_t)buffer[8];
      break;
      case IPP_TAG_RANGE :
  •   if (n != 8)
    
  •   {
    
  •     DEBUG_printf(("ippReadIO: bad value length %d!\n", n));
    
  •     return (IPP_ERROR);
    
  •   }
    
    •   if ((*cb)(src, buffer, 8) < 8)
      
      {
      DEBUG_puts("ippReadIO: Unable to read range value!");
      @@ -1385,7 +1421,7 @@
      break;
      case IPP_TAG_TEXTLANG :
      case IPP_TAG_NAMELANG :
  •       if (n > sizeof(buffer) || n < 4)
    
  •       if (n >= sizeof(buffer) || n < 4)
    {
      DEBUG_printf(("ippReadIO: bad value length %d!\n", n));
      return (IPP_ERROR);
    

    @@ -1427,6 +1463,12 @@
    bufptr += 2 + n;
    n = (bufptr[0] << 8) | bufptr[1];

  •   if ((bufptr + n) >= (buffer + sizeof(buffer)))
    
  •   {
    
  •     DEBUG_printf(("ippReadIO: bad value length %d!\n", n));
    
  •     return (IPP_ERROR);
    
  •   }
    
    • bufptr[2 + n] = '\0';
      value->string.text = _cupsStrAlloc((char *)bufptr + 2);
      break;
      @@ -1468,6 +1510,12 @@
      * we need to carry over...
      */
  •   if (n >= sizeof(buffer))
    
  •   {
    
  •     DEBUG_printf(("ippReadIO: bad value length %d!\n", n));
    
  •     return (IPP_ERROR);
    
  •   }
    
    •   if ((*cb)(src, buffer, n) < n)
      
      {
      DEBUG_puts("ippReadIO: Unable to read member name value!");
      @@ -1489,6 +1537,12 @@
      break;
         default : /* Other unsupported values */
    
  •   if (n > sizeof(buffer))
    
  •   {
    
  •     DEBUG_printf(("ippReadIO: bad value length %d!\n", n));
    
  •     return (IPP_ERROR);
    
  •   }
    
    •        value->unknown.length = n;
        if (n > 0)
      
      {
@michaelrsweet

This comment has been minimized.

Copy link
Collaborator Author

commented Oct 31, 2007

"str2561-cups11.patch":

Index: ipp.c

--- ipp.c (revision 7023)
+++ ipp.c (working copy)
@@ -1,5 +1,5 @@
/*

  • * "$Id: ipp.c,v 1.98 2005/01/03 19:29:45 mike Exp $"

  • * "$Id$"
    *

    • Internet Printing Protocol support functions for the Common UNIX
    • Printing System (CUPS).
      @@ -1119,6 +1119,12 @@
      {
      case IPP_TAG_INTEGER :
      case IPP_TAG_ENUM :
  •   if (n != 4)
    
  •   {
    
  •     DEBUG_printf(("ippReadIO: bad value length %d!\n", n));
    
  •     return (IPP_ERROR);
    
  •   }
    
    •   if ((*cb)(src, buffer, 4) < 4)
      
      {
      DEBUG_puts("ippReadIO: Unable to read integer value!");
      @@ -1131,6 +1137,12 @@
      value->integer = n;
      break;
      case IPP_TAG_BOOLEAN :
  •   if (n != 1)
    
  •   {
    
  •     DEBUG_printf(("ippReadIO: bad value length %d!\n", n));
    
  •     return (IPP_ERROR);
    
  •   }
    
    •   if ((*cb)(src, buffer, 1) < 1)
      
      {
      DEBUG_puts("ippReadIO: Unable to read boolean value!");
      @@ -1148,6 +1160,12 @@
      case IPP_TAG_CHARSET :
      case IPP_TAG_LANGUAGE :
      case IPP_TAG_MIMETYPE :
  •   if (n >= sizeof(buffer))
    
  •   {
    
  •     DEBUG_printf(("ippReadIO: bad value length %d!\n", n));
    
  •     return (IPP_ERROR);
    
  •   }
    
    •        value->string.text = calloc(n + 1, 1);
      
        if ((*cb)(src, (ipp_uchar_t *)value->string.text, n) < n)
    

    @@ -1160,6 +1178,12 @@
    value->string.text));
    break;
    case IPP_TAG_DATE :

  •   if (n != 11)
    
  •   {
    
  •     DEBUG_printf(("ippReadIO: bad value length %d!\n", n));
    
  •     return (IPP_ERROR);
    
  •   }
    
    •   if ((*cb)(src, value->date, 11) < 11)
      
      {
      DEBUG_puts("ippReadIO: Unable to date integer value!");
      @@ -1167,6 +1191,12 @@
      }
      break;
      case IPP_TAG_RESOLUTION :
  •   if (n != 9)
    
  •   {
    
  •     DEBUG_printf(("ippReadIO: bad value length %d!\n", n));
    
  •     return (IPP_ERROR);
    
  •   }
    
    •   if ((*cb)(src, buffer, 9) < 9)
      
      {
      DEBUG_puts("ippReadIO: Unable to read resolution value!");
      @@ -1183,6 +1213,12 @@
      (ipp_res_t)buffer[8];
      break;
      case IPP_TAG_RANGE :
  •   if (n != 8)
    
  •   {
    
  •     DEBUG_printf(("ippReadIO: bad value length %d!\n", n));
    
  •     return (IPP_ERROR);
    
  •   }
    
    •   if ((*cb)(src, buffer, 8) < 8)
      
      {
      DEBUG_puts("ippReadIO: Unable to read range value!");
      @@ -1198,7 +1234,7 @@
      break;
      case IPP_TAG_TEXTLANG :
      case IPP_TAG_NAMELANG :
  •       if (n > sizeof(buffer) || n < 4)
    
  •       if (n >= sizeof(buffer) || n < 4)
    {
      DEBUG_printf(("ippReadIO: bad value length %d!\n", n));
      return (IPP_ERROR);
    

    @@ -1224,14 +1260,25 @@

    n = (bufptr[0] << 8) | bufptr[1];
    
  •   if ((bufptr + n) >= (buffer + sizeof(buffer)))
    
  •   {
    
  •     DEBUG_printf(("ippReadIO: bad value length %d!\n", n));
    
  •     return (IPP_ERROR);
    
  •   }
    
    •        value->string.charset = calloc(n + 1, 1);
      
  •   memcpy(value->string.charset,
    
  •          bufptr + 2, n);
    
  •   memcpy(value->string.charset, bufptr + 2, n);
    
             bufptr += 2 + n;
    n = (bufptr[0] << 8) | bufptr[1];
    
  •   if ((bufptr + n) >= (buffer + sizeof(buffer)))
    
  •   {
    
  •     DEBUG_printf(("ippReadIO: bad value length %d!\n", n));
    
  •     return (IPP_ERROR);
    
  •   }
    
    •        value->string.text = calloc(n + 1, 1);
      
    memcpy(value->string.text,
    

    @@ -1287,6 +1334,12 @@
    break;

         default : /* Other unsupported values */
    
  •   if (n > sizeof(buffer))
    
  •   {
    
  •     DEBUG_printf(("ippReadIO: bad value length %d!\n", n));
    
  •     return (IPP_ERROR);
    
  •   }
    
    •        value->unknown.length = n;
        if (n > 0)
      
      {
      @@ -2557,5 +2610,5 @@

    /*

  • * End of "$Id: ipp.c,v 1.98 2005/01/03 19:29:45 mike Exp $".

  • * End of "$Id$".
    */

@michaelrsweet

This comment has been minimized.

Copy link
Collaborator Author

commented Oct 31, 2007

"str2561-cups12.patch":

Index: ipp.c

--- ipp.c (revision 7023)
+++ ipp.c (working copy)
@@ -1315,6 +1315,12 @@
{
case IPP_TAG_INTEGER :
case IPP_TAG_ENUM :

  •   if (n != 4)
    
  •   {
    
  •     DEBUG_printf(("ippReadIO: bad value length %d!\n", n));
    
  •     return (IPP_ERROR);
    
  •   }
    
    •   if ((*cb)(src, buffer, 4) < 4)
      
      {
      DEBUG_puts("ippReadIO: Unable to read integer value!");
      @@ -1327,6 +1333,12 @@
      value->integer = n;
      break;
      case IPP_TAG_BOOLEAN :
  •   if (n != 1)
    
  •   {
    
  •     DEBUG_printf(("ippReadIO: bad value length %d!\n", n));
    
  •     return (IPP_ERROR);
    
  •   }
    
    •   if ((*cb)(src, buffer, 1) < 1)
      
      {
      DEBUG_puts("ippReadIO: Unable to read boolean value!");
      @@ -1344,6 +1356,12 @@
      case IPP_TAG_CHARSET :
      case IPP_TAG_LANGUAGE :
      case IPP_TAG_MIMETYPE :
  •   if (n >= sizeof(buffer))
    
  •   {
    
  •     DEBUG_printf(("ippReadIO: bad value length %d!\n", n));
    
  •     return (IPP_ERROR);
    
  •   }
    
    • if ((*cb)(src, buffer, n) < n)
      {
      DEBUG_puts("ippReadIO: unable to read name!");
      @@ -1356,6 +1374,12 @@
      value->string.text));
      break;
      case IPP_TAG_DATE :
  •   if (n != 11)
    
  •   {
    
  •     DEBUG_printf(("ippReadIO: bad value length %d!\n", n));
    
  •     return (IPP_ERROR);
    
  •   }
    
    •   if ((*cb)(src, value->date, 11) < 11)
      
      {
      DEBUG_puts("ippReadIO: Unable to date integer value!");
      @@ -1363,6 +1387,12 @@
      }
      break;
      case IPP_TAG_RESOLUTION :
  •   if (n != 9)
    
  •   {
    
  •     DEBUG_printf(("ippReadIO: bad value length %d!\n", n));
    
  •     return (IPP_ERROR);
    
  •   }
    
    •   if ((*cb)(src, buffer, 9) < 9)
      
      {
      DEBUG_puts("ippReadIO: Unable to read resolution value!");
      @@ -1379,6 +1409,12 @@
      (ipp_res_t)buffer[8];
      break;
      case IPP_TAG_RANGE :
  •   if (n != 8)
    
  •   {
    
  •     DEBUG_printf(("ippReadIO: bad value length %d!\n", n));
    
  •     return (IPP_ERROR);
    
  •   }
    
    •   if ((*cb)(src, buffer, 8) < 8)
      
      {
      DEBUG_puts("ippReadIO: Unable to read range value!");
      @@ -1394,7 +1430,7 @@
      break;
      case IPP_TAG_TEXTLANG :
      case IPP_TAG_NAMELANG :
  •       if (n > sizeof(buffer) || n < 4)
    
  •       if (n >= sizeof(buffer) || n < 4)
    {
      DEBUG_printf(("ippReadIO: bad value length %d!\n", n));
      return (IPP_ERROR);
    

    @@ -1436,6 +1472,12 @@
    bufptr += 2 + n;
    n = (bufptr[0] << 8) | bufptr[1];

  •   if ((bufptr + n) >= (buffer + sizeof(buffer)))
    
  •   {
    
  •     DEBUG_printf(("ippReadIO: bad value length %d!\n", n));
    
  •     return (IPP_ERROR);
    
  •   }
    
    • bufptr[2 + n] = '\0';
      value->string.text = _cupsStrAlloc((char *)bufptr + 2);
      break;
      @@ -1477,6 +1519,12 @@
      * we need to carry over...
      */
  •   if (n >= sizeof(buffer))
    
  •   {
    
  •     DEBUG_printf(("ippReadIO: bad value length %d!\n", n));
    
  •     return (IPP_ERROR);
    
  •   }
    
    •   if ((*cb)(src, buffer, n) < n)
      
      {
      DEBUG_puts("ippReadIO: Unable to read member name value!");
      @@ -1498,6 +1546,12 @@
      break;
         default : /* Other unsupported values */
    
  •   if (n > sizeof(buffer))
    
  •   {
    
  •     DEBUG_printf(("ippReadIO: bad value length %d!\n", n));
    
  •     return (IPP_ERROR);
    
  •   }
    
    •        value->unknown.length = n;
        if (n > 0)
      
      {
@michaelrsweet

This comment has been minimized.

Copy link
Collaborator Author

commented Oct 31, 2007

"str2561-cups11v2.patch":

Index: ipp.c

--- ipp.c (revision 7023)
+++ ipp.c (working copy)
@@ -1,5 +1,5 @@
/*

  • * "$Id: ipp.c,v 1.98 2005/01/03 19:29:45 mike Exp $"

  • * "$Id$"
    *

    • Internet Printing Protocol support functions for the Common UNIX
    • Printing System (CUPS).
      @@ -1119,6 +1119,12 @@
      {
      case IPP_TAG_INTEGER :
      case IPP_TAG_ENUM :
  •   if (n != 4)
    
  •   {
    
  •     DEBUG_printf(("ippReadIO: bad value length %d!\n", n));
    
  •     return (IPP_ERROR);
    
  •   }
    
    •   if ((*cb)(src, buffer, 4) < 4)
      
      {
      DEBUG_puts("ippReadIO: Unable to read integer value!");
      @@ -1131,6 +1137,12 @@
      value->integer = n;
      break;
      case IPP_TAG_BOOLEAN :
  •   if (n != 1)
    
  •   {
    
  •     DEBUG_printf(("ippReadIO: bad value length %d!\n", n));
    
  •     return (IPP_ERROR);
    
  •   }
    
    •   if ((*cb)(src, buffer, 1) < 1)
      
      {
      DEBUG_puts("ippReadIO: Unable to read boolean value!");
      @@ -1148,6 +1160,12 @@
      case IPP_TAG_CHARSET :
      case IPP_TAG_LANGUAGE :
      case IPP_TAG_MIMETYPE :
  •   if (n >= sizeof(buffer))
    
  •   {
    
  •     DEBUG_printf(("ippReadIO: bad value length %d!\n", n));
    
  •     return (IPP_ERROR);
    
  •   }
    
    •        value->string.text = calloc(n + 1, 1);
      
        if ((*cb)(src, (ipp_uchar_t *)value->string.text, n) < n)
    

    @@ -1160,6 +1178,12 @@
    value->string.text));
    break;
    case IPP_TAG_DATE :

  •   if (n != 11)
    
  •   {
    
  •     DEBUG_printf(("ippReadIO: bad value length %d!\n", n));
    
  •     return (IPP_ERROR);
    
  •   }
    
    •   if ((*cb)(src, value->date, 11) < 11)
      
      {
      DEBUG_puts("ippReadIO: Unable to date integer value!");
      @@ -1167,6 +1191,12 @@
      }
      break;
      case IPP_TAG_RESOLUTION :
  •   if (n != 9)
    
  •   {
    
  •     DEBUG_printf(("ippReadIO: bad value length %d!\n", n));
    
  •     return (IPP_ERROR);
    
  •   }
    
    •   if ((*cb)(src, buffer, 9) < 9)
      
      {
      DEBUG_puts("ippReadIO: Unable to read resolution value!");
      @@ -1183,6 +1213,12 @@
      (ipp_res_t)buffer[8];
      break;
      case IPP_TAG_RANGE :
  •   if (n != 8)
    
  •   {
    
  •     DEBUG_printf(("ippReadIO: bad value length %d!\n", n));
    
  •     return (IPP_ERROR);
    
  •   }
    
    •   if ((*cb)(src, buffer, 8) < 8)
      
      {
      DEBUG_puts("ippReadIO: Unable to read range value!");
      @@ -1198,7 +1234,7 @@
      break;
      case IPP_TAG_TEXTLANG :
      case IPP_TAG_NAMELANG :
  •       if (n > sizeof(buffer) || n < 4)
    
  •       if (n >= sizeof(buffer) || n < 4)
    {
      DEBUG_printf(("ippReadIO: bad value length %d!\n", n));
      return (IPP_ERROR);
    

    @@ -1224,18 +1260,28 @@

    n = (bufptr[0] << 8) | bufptr[1];
    
  •   if ((bufptr + 2 + n) >= (buffer + sizeof(buffer)))
    
  •   {
    
  •     DEBUG_printf(("ippReadIO: bad value length %d!\n", n));
    
  •     return (IPP_ERROR);
    
  •   }
    
    •        value->string.charset = calloc(n + 1, 1);
      
  •   memcpy(value->string.charset,
    
  •          bufptr + 2, n);
    
  •   memcpy(value->string.charset, bufptr + 2, n);
    
             bufptr += 2 + n;
    n = (bufptr[0] << 8) | bufptr[1];
    
  •   if ((bufptr + 2 + n) >= (buffer + sizeof(buffer)))
    
  •   {
    
  •     DEBUG_printf(("ippReadIO: bad value length %d!\n", n));
    
  •     return (IPP_ERROR);
    
  •   }
    
    •        value->string.text = calloc(n + 1, 1);
      
  •   memcpy(value->string.text,
    
  •          bufptr + 2, n);
    
  •   memcpy(value->string.text, bufptr + 2, n);
        break;
    
         case IPP_TAG_BEGIN_COLLECTION :
    

    @@ -1287,6 +1333,12 @@
    break;

         default : /* Other unsupported values */
    
  •   if (n > sizeof(buffer))
    
  •   {
    
  •     DEBUG_printf(("ippReadIO: bad value length %d!\n", n));
    
  •     return (IPP_ERROR);
    
  •   }
    
    •        value->unknown.length = n;
        if (n > 0)
      
      {
      @@ -2557,5 +2609,5 @@

    /*

  • * End of "$Id: ipp.c,v 1.98 2005/01/03 19:29:45 mike Exp $".

  • * End of "$Id$".
    */

@michaelrsweet

This comment has been minimized.

Copy link
Collaborator Author

commented Oct 31, 2007

"str2561-cups12v2.patch":

Index: ipp.c

--- ipp.c (revision 7023)
+++ ipp.c (working copy)
@@ -1315,6 +1315,12 @@
{
case IPP_TAG_INTEGER :
case IPP_TAG_ENUM :

  •   if (n != 4)
    
  •   {
    
  •     DEBUG_printf(("ippReadIO: bad value length %d!\n", n));
    
  •     return (IPP_ERROR);
    
  •   }
    
    •   if ((*cb)(src, buffer, 4) < 4)
      
      {
      DEBUG_puts("ippReadIO: Unable to read integer value!");
      @@ -1327,6 +1333,12 @@
      value->integer = n;
      break;
      case IPP_TAG_BOOLEAN :
  •   if (n != 1)
    
  •   {
    
  •     DEBUG_printf(("ippReadIO: bad value length %d!\n", n));
    
  •     return (IPP_ERROR);
    
  •   }
    
    •   if ((*cb)(src, buffer, 1) < 1)
      
      {
      DEBUG_puts("ippReadIO: Unable to read boolean value!");
      @@ -1344,6 +1356,12 @@
      case IPP_TAG_CHARSET :
      case IPP_TAG_LANGUAGE :
      case IPP_TAG_MIMETYPE :
  •   if (n >= sizeof(buffer))
    
  •   {
    
  •     DEBUG_printf(("ippReadIO: bad value length %d!\n", n));
    
  •     return (IPP_ERROR);
    
  •   }
    
    • if ((*cb)(src, buffer, n) < n)
      {
      DEBUG_puts("ippReadIO: unable to read name!");
      @@ -1356,6 +1374,12 @@
      value->string.text));
      break;
      case IPP_TAG_DATE :
  •   if (n != 11)
    
  •   {
    
  •     DEBUG_printf(("ippReadIO: bad value length %d!\n", n));
    
  •     return (IPP_ERROR);
    
  •   }
    
    •   if ((*cb)(src, value->date, 11) < 11)
      
      {
      DEBUG_puts("ippReadIO: Unable to date integer value!");
      @@ -1363,6 +1387,12 @@
      }
      break;
      case IPP_TAG_RESOLUTION :
  •   if (n != 9)
    
  •   {
    
  •     DEBUG_printf(("ippReadIO: bad value length %d!\n", n));
    
  •     return (IPP_ERROR);
    
  •   }
    
    •   if ((*cb)(src, buffer, 9) < 9)
      
      {
      DEBUG_puts("ippReadIO: Unable to read resolution value!");
      @@ -1379,6 +1409,12 @@
      (ipp_res_t)buffer[8];
      break;
      case IPP_TAG_RANGE :
  •   if (n != 8)
    
  •   {
    
  •     DEBUG_printf(("ippReadIO: bad value length %d!\n", n));
    
  •     return (IPP_ERROR);
    
  •   }
    
    •   if ((*cb)(src, buffer, 8) < 8)
      
      {
      DEBUG_puts("ippReadIO: Unable to read range value!");
      @@ -1394,7 +1430,7 @@
      break;
      case IPP_TAG_TEXTLANG :
      case IPP_TAG_NAMELANG :
  •       if (n > sizeof(buffer) || n < 4)
    
  •       if (n >= sizeof(buffer) || n < 4)
    {
      DEBUG_printf(("ippReadIO: bad value length %d!\n", n));
      return (IPP_ERROR);
    

    @@ -1420,22 +1456,27 @@

    n = (bufptr[0] << 8) | bufptr[1];
    
  •            if (n >= sizeof(string))
    
  •   if ((bufptr + 2 + n) >= (buffer + sizeof(buffer)) ||
    
  •       n >= sizeof(string))
    {
    
  •     memcpy(string, bufptr + 2, sizeof(string) - 1);
    
  •     string[sizeof(string) - 1] = '\0';
    
  •     DEBUG_printf(("ippReadIO: bad value length %d!\n", n));
    
  •     return (IPP_ERROR);
    }
    
  •   else
    
  •   {
    
  •     memcpy(string, bufptr + 2, n);
    
  •     string[n] = '\0';
    
  •            }
    
  •   memcpy(string, bufptr + 2, n);
    
  •   string[n] = '\0';
    
    • value->string.charset = _cupsStrAlloc((char *)string);
             bufptr += 2 + n;
    n = (bufptr[0] << 8) | bufptr[1];
    
  •   if ((bufptr + 2 + n) >= (buffer + sizeof(buffer)))
    
  •   {
    
  •     DEBUG_printf(("ippReadIO: bad value length %d!\n", n));
    
  •     return (IPP_ERROR);
    
  •   }
    
    • bufptr[2 + n] = '\0';
      value->string.text = _cupsStrAlloc((char *)bufptr + 2);
      break;
      @@ -1477,6 +1518,12 @@
      * we need to carry over...
      */
  •   if (n >= sizeof(buffer))
    
  •   {
    
  •     DEBUG_printf(("ippReadIO: bad value length %d!\n", n));
    
  •     return (IPP_ERROR);
    
  •   }
    
    •   if ((*cb)(src, buffer, n) < n)
      
      {
      DEBUG_puts("ippReadIO: Unable to read member name value!");
      @@ -1498,6 +1545,12 @@
      break;
         default : /* Other unsupported values */
    
  •   if (n > sizeof(buffer))
    
  •   {
    
  •     DEBUG_printf(("ippReadIO: bad value length %d!\n", n));
    
  •     return (IPP_ERROR);
    
  •   }
    
    •        value->unknown.length = n;
        if (n > 0)
      
      {
@michaelrsweet

This comment has been minimized.

Copy link
Collaborator Author

commented Oct 31, 2007

"str2561-cups13v2.patch":

Index: ipp.c

--- ipp.c (revision 7023)
+++ ipp.c (working copy)
@@ -1306,6 +1306,12 @@
{
case IPP_TAG_INTEGER :
case IPP_TAG_ENUM :

  •   if (n != 4)
    
  •   {
    
  •     DEBUG_printf(("ippReadIO: bad value length %d!\n", n));
    
  •     return (IPP_ERROR);
    
  •   }
    
    •   if ((*cb)(src, buffer, 4) < 4)
      
      {
      DEBUG_puts("ippReadIO: Unable to read integer value!");
      @@ -1318,6 +1324,12 @@
      value->integer = n;
      break;
      case IPP_TAG_BOOLEAN :
  •   if (n != 1)
    
  •   {
    
  •     DEBUG_printf(("ippReadIO: bad value length %d!\n", n));
    
  •     return (IPP_ERROR);
    
  •   }
    
    •   if ((*cb)(src, buffer, 1) < 1)
      
      {
      DEBUG_puts("ippReadIO: Unable to read boolean value!");
      @@ -1335,6 +1347,12 @@
      case IPP_TAG_CHARSET :
      case IPP_TAG_LANGUAGE :
      case IPP_TAG_MIMETYPE :
  •   if (n >= sizeof(buffer))
    
  •   {
    
  •     DEBUG_printf(("ippReadIO: bad value length %d!\n", n));
    
  •     return (IPP_ERROR);
    
  •   }
    
    • if ((*cb)(src, buffer, n) < n)
      {
      DEBUG_puts("ippReadIO: unable to read name!");
      @@ -1347,6 +1365,12 @@
      value->string.text));
      break;
      case IPP_TAG_DATE :
  •   if (n != 11)
    
  •   {
    
  •     DEBUG_printf(("ippReadIO: bad value length %d!\n", n));
    
  •     return (IPP_ERROR);
    
  •   }
    
    •   if ((*cb)(src, value->date, 11) < 11)
      
      {
      DEBUG_puts("ippReadIO: Unable to date integer value!");
      @@ -1354,6 +1378,12 @@
      }
      break;
      case IPP_TAG_RESOLUTION :
  •   if (n != 9)
    
  •   {
    
  •     DEBUG_printf(("ippReadIO: bad value length %d!\n", n));
    
  •     return (IPP_ERROR);
    
  •   }
    
    •   if ((*cb)(src, buffer, 9) < 9)
      
      {
      DEBUG_puts("ippReadIO: Unable to read resolution value!");
      @@ -1370,6 +1400,12 @@
      (ipp_res_t)buffer[8];
      break;
      case IPP_TAG_RANGE :
  •   if (n != 8)
    
  •   {
    
  •     DEBUG_printf(("ippReadIO: bad value length %d!\n", n));
    
  •     return (IPP_ERROR);
    
  •   }
    
    •   if ((*cb)(src, buffer, 8) < 8)
      
      {
      DEBUG_puts("ippReadIO: Unable to read range value!");
      @@ -1385,7 +1421,7 @@
      break;
      case IPP_TAG_TEXTLANG :
      case IPP_TAG_NAMELANG :
  •       if (n > sizeof(buffer) || n < 4)
    
  •       if (n >= sizeof(buffer) || n < 4)
    {
      DEBUG_printf(("ippReadIO: bad value length %d!\n", n));
      return (IPP_ERROR);
    

    @@ -1411,22 +1447,27 @@

    n = (bufptr[0] << 8) | bufptr[1];
    
  •            if (n >= sizeof(string))
    
  •   if ((bufptr + 2 + n) >= (buffer + sizeof(buffer)) ||
    
  •       n >= sizeof(string))
    {
    
  •     memcpy(string, bufptr + 2, sizeof(string) - 1);
    
  •     string[sizeof(string) - 1] = '\0';
    
  •     DEBUG_printf(("ippReadIO: bad value length %d!\n", n));
    
  •     return (IPP_ERROR);
    }
    
  •   else
    
  •   {
    
  •     memcpy(string, bufptr + 2, n);
    
  •     string[n] = '\0';
    
  •            }
    
  •   memcpy(string, bufptr + 2, n);
    
  •   string[n] = '\0';
    
    • value->string.charset = _cupsStrAlloc((char *)string);
             bufptr += 2 + n;
    n = (bufptr[0] << 8) | bufptr[1];
    
  •   if ((bufptr + 2 + n) >= (buffer + sizeof(buffer)))
    
  •   {
    
  •     DEBUG_printf(("ippReadIO: bad value length %d!\n", n));
    
  •     return (IPP_ERROR);
    
  •   }
    
    • bufptr[2 + n] = '\0';
      value->string.text = _cupsStrAlloc((char *)bufptr + 2);
      break;
      @@ -1468,6 +1509,12 @@
      * we need to carry over...
      */
  •   if (n >= sizeof(buffer))
    
  •   {
    
  •     DEBUG_printf(("ippReadIO: bad value length %d!\n", n));
    
  •     return (IPP_ERROR);
    
  •   }
    
    •   if ((*cb)(src, buffer, n) < n)
      
      {
      DEBUG_puts("ippReadIO: Unable to read member name value!");
      @@ -1489,6 +1536,12 @@
      break;
         default : /* Other unsupported values */
    
  •   if (n > sizeof(buffer))
    
  •   {
    
  •     DEBUG_printf(("ippReadIO: bad value length %d!\n", n));
    
  •     return (IPP_ERROR);
    
  •   }
    
    •        value->unknown.length = n;
        if (n > 0)
      
      {

@michaelrsweet michaelrsweet added this to the Stable milestone Mar 17, 2016

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
You can’t perform that action at this time.