* [Printing-architecture] [patch] cups-1.7.0: job history fix
@ 2013-10-25 15:36 Tim Waugh
2013-10-28 15:30 ` Michael Sweet
0 siblings, 1 reply; 4+ messages in thread
From: Tim Waugh @ 2013-10-25 15:36 UTC (permalink / raw)
To: printing-architecture@lists.linux-foundation.org
[-- Attachment #1.1: Type: text/plain, Size: 660 bytes --]
Hi,
While playing around with a logging enhancement¹ I discovered a bug in
the job history code. It was introduced some time after the public
source repository was taken off-line, so I don't know what the
motivation for the change was.
A cups_joblog_t declares 'char message[1]' for the message, and is
allocated with enough storage for the intended message. However, the
message is copied in with strlcpy, with a limit of
sizeof(cups_joblog_t->message). As a result, the message is severely(!)
truncated.
The fix is to undo the change as attached.
Tim.
*/
¹ http://cyberelk.net/tim/2013/10/25/cups-adding-support-for-system-journal/
[-- Attachment #1.2: cups-jobhistory.patch --]
[-- Type: text/x-patch, Size: 537 bytes --]
diff -up cups-1.7rc1/scheduler/log.c.orig cups-1.7rc1/scheduler/log.c
--- cups-1.7rc1/scheduler/log.c.orig 2013-10-24 15:40:42.412062412 +0100
+++ cups-1.7rc1/scheduler/log.c 2013-10-24 15:40:43.329066617 +0100
@@ -534,7 +534,7 @@ cupsdLogJob(cupsd_job_t *job, /* I - Jo
if ((temp = malloc(sizeof(cupsd_joblog_t) + strlen(log_line))) != NULL)
{
temp->time = time(NULL);
- strlcpy(temp->message, log_line, sizeof(temp->message));
+ strcpy(temp->message, log_line);
}
if (!job->history)
[-- Attachment #2: This is a digitally signed message part --]
[-- Type: application/pgp-signature, Size: 482 bytes --]
^ permalink raw reply [flat|nested] 4+ messages in thread* Re: [Printing-architecture] [patch] cups-1.7.0: job history fix 2013-10-25 15:36 [Printing-architecture] [patch] cups-1.7.0: job history fix Tim Waugh @ 2013-10-28 15:30 ` Michael Sweet 2013-10-28 15:35 ` Michael Sweet 0 siblings, 1 reply; 4+ messages in thread From: Michael Sweet @ 2013-10-28 15:30 UTC (permalink / raw) To: Tim Waugh; +Cc: printing-architecture@lists.linux-foundation.org Tim, Thanks, I filed this as: <rdar://problem/15331639> cups.org: Regression in auto-debug logging That said, your proposed fix actually isn't safe either - the Fortify strcpy stuff in glibc effectively converts the strcpy to a strlcpy, so the code will break if you happen to compile using the -D_FORTIFY_SOURCE=2 compiler option. I will follow up with a memcpy-based fix. Thanks for reporting this! (and we are 1 electronic signature away from getting cups.org's bug tracker back online...) On Oct 25, 2013, at 11:36 AM, Tim Waugh <twaugh@redhat.com> wrote: > Hi, > > While playing around with a logging enhancement¹ I discovered a bug in > the job history code. It was introduced some time after the public > source repository was taken off-line, so I don't know what the > motivation for the change was. > > A cups_joblog_t declares 'char message[1]' for the message, and is > allocated with enough storage for the intended message. However, the > message is copied in with strlcpy, with a limit of > sizeof(cups_joblog_t->message). As a result, the message is severely(!) > truncated. > > The fix is to undo the change as attached. > > Tim. > */ > > ¹ http://cyberelk.net/tim/2013/10/25/cups-adding-support-for-system-journal/ > <cups-jobhistory.patch>_______________________________________________ > Printing-architecture mailing list > Printing-architecture@lists.linux-foundation.org > https://lists.linuxfoundation.org/mailman/listinfo/printing-architecture _________________________________________________________ Michael Sweet, Senior Printing System Engineer, PWG Chair ^ permalink raw reply [flat|nested] 4+ messages in thread
* Re: [Printing-architecture] [patch] cups-1.7.0: job history fix 2013-10-28 15:30 ` Michael Sweet @ 2013-10-28 15:35 ` Michael Sweet 2013-10-28 16:33 ` Tim Waugh 0 siblings, 1 reply; 4+ messages in thread From: Michael Sweet @ 2013-10-28 15:35 UTC (permalink / raw) To: Tim Waugh; +Cc: printing-architecture@lists.linux-foundation.org [-- Attachment #1: Type: text/plain, Size: 22 bytes --] and here is the fix: [-- Attachment #2: rdar15331639.patch --] [-- Type: application/octet-stream, Size: 677 bytes --] Index: scheduler/log.c =================================================================== --- scheduler/log.c (revision 11365) +++ scheduler/log.c (working copy) @@ -541,12 +541,13 @@ */ cupsd_joblog_t *temp; /* Copy of log message */ + size_t log_len = strlen(log_line); + /* Length of log message */ - - if ((temp = malloc(sizeof(cupsd_joblog_t) + strlen(log_line))) != NULL) + if ((temp = malloc(sizeof(cupsd_joblog_t) + log_len)) != NULL) { temp->time = time(NULL); - strlcpy(temp->message, log_line, sizeof(temp->message)); + memcpy(temp->message, log_line, log_len + 1); } if (!job->history) [-- Attachment #3: Type: text/plain, Size: 2126 bytes --] On Oct 28, 2013, at 11:30 AM, Michael Sweet <msweet@apple.com> wrote: > Tim, > > Thanks, I filed this as: > > <rdar://problem/15331639> cups.org: Regression in auto-debug logging > > That said, your proposed fix actually isn't safe either - the Fortify strcpy stuff in glibc effectively converts the strcpy to a strlcpy, so the code will break if you happen to compile using the -D_FORTIFY_SOURCE=2 compiler option. > > I will follow up with a memcpy-based fix. > > Thanks for reporting this! > > (and we are 1 electronic signature away from getting cups.org's bug tracker back online...) > > > On Oct 25, 2013, at 11:36 AM, Tim Waugh <twaugh@redhat.com> wrote: > >> Hi, >> >> While playing around with a logging enhancement¹ I discovered a bug in >> the job history code. It was introduced some time after the public >> source repository was taken off-line, so I don't know what the >> motivation for the change was. >> >> A cups_joblog_t declares 'char message[1]' for the message, and is >> allocated with enough storage for the intended message. However, the >> message is copied in with strlcpy, with a limit of >> sizeof(cups_joblog_t->message). As a result, the message is severely(!) >> truncated. >> >> The fix is to undo the change as attached. >> >> Tim. >> */ >> >> ¹ http://cyberelk.net/tim/2013/10/25/cups-adding-support-for-system-journal/ >> <cups-jobhistory.patch>_______________________________________________ >> Printing-architecture mailing list >> Printing-architecture@lists.linux-foundation.org >> https://lists.linuxfoundation.org/mailman/listinfo/printing-architecture > > _________________________________________________________ > Michael Sweet, Senior Printing System Engineer, PWG Chair > > _______________________________________________ > Printing-architecture mailing list > Printing-architecture@lists.linux-foundation.org > https://lists.linuxfoundation.org/mailman/listinfo/printing-architecture _________________________________________________________ Michael Sweet, Senior Printing System Engineer, PWG Chair ^ permalink raw reply [flat|nested] 4+ messages in thread
* Re: [Printing-architecture] [patch] cups-1.7.0: job history fix 2013-10-28 15:35 ` Michael Sweet @ 2013-10-28 16:33 ` Tim Waugh 0 siblings, 0 replies; 4+ messages in thread From: Tim Waugh @ 2013-10-28 16:33 UTC (permalink / raw) To: Michael Sweet; +Cc: printing-architecture@lists.linux-foundation.org [-- Attachment #1: Type: text/plain, Size: 106 bytes --] On Mon, 2013-10-28 at 11:35 -0400, Michael Sweet wrote: > and here is the fix: Thanks. Tim. */ [-- Attachment #2: This is a digitally signed message part --] [-- Type: application/pgp-signature, Size: 482 bytes --] ^ permalink raw reply [flat|nested] 4+ messages in thread
end of thread, other threads:[~2013-10-28 16:33 UTC | newest] Thread overview: 4+ messages (download: mbox.gz follow: Atom feed -- links below jump to the message on this page -- 2013-10-25 15:36 [Printing-architecture] [patch] cups-1.7.0: job history fix Tim Waugh 2013-10-28 15:30 ` Michael Sweet 2013-10-28 15:35 ` Michael Sweet 2013-10-28 16:33 ` Tim Waugh
This is an external index of several public inboxes, see mirroring instructions on how to clone and mirror all data and code used by this external index.