* [Printing-architecture] [patch] cups-1.7.0: job history fix
@ 2013-10-25 15:36 Tim Waugh
2013-10-28 15:30 ` Michael Sweet
0 siblings, 1 reply; 4+ messages in thread
From: Tim Waugh @ 2013-10-25 15:36 UTC (permalink / raw)
To: printing-architecture@lists.linux-foundation.org
[-- Attachment #1.1: Type: text/plain, Size: 660 bytes --]
Hi,
While playing around with a logging enhancement¹ I discovered a bug in
the job history code. It was introduced some time after the public
source repository was taken off-line, so I don't know what the
motivation for the change was.
A cups_joblog_t declares 'char message[1]' for the message, and is
allocated with enough storage for the intended message. However, the
message is copied in with strlcpy, with a limit of
sizeof(cups_joblog_t->message). As a result, the message is severely(!)
truncated.
The fix is to undo the change as attached.
Tim.
*/
¹ http://cyberelk.net/tim/2013/10/25/cups-adding-support-for-system-journal/
[-- Attachment #1.2: cups-jobhistory.patch --]
[-- Type: text/x-patch, Size: 537 bytes --]
diff -up cups-1.7rc1/scheduler/log.c.orig cups-1.7rc1/scheduler/log.c
--- cups-1.7rc1/scheduler/log.c.orig 2013-10-24 15:40:42.412062412 +0100
+++ cups-1.7rc1/scheduler/log.c 2013-10-24 15:40:43.329066617 +0100
@@ -534,7 +534,7 @@ cupsdLogJob(cupsd_job_t *job, /* I - Jo
if ((temp = malloc(sizeof(cupsd_joblog_t) + strlen(log_line))) != NULL)
{
temp->time = time(NULL);
- strlcpy(temp->message, log_line, sizeof(temp->message));
+ strcpy(temp->message, log_line);
}
if (!job->history)
[-- Attachment #2: This is a digitally signed message part --]
[-- Type: application/pgp-signature, Size: 482 bytes --]
^ permalink raw reply [flat|nested] 4+ messages in thread
* Re: [Printing-architecture] [patch] cups-1.7.0: job history fix
2013-10-25 15:36 [Printing-architecture] [patch] cups-1.7.0: job history fix Tim Waugh
@ 2013-10-28 15:30 ` Michael Sweet
2013-10-28 15:35 ` Michael Sweet
0 siblings, 1 reply; 4+ messages in thread
From: Michael Sweet @ 2013-10-28 15:30 UTC (permalink / raw)
To: Tim Waugh; +Cc: printing-architecture@lists.linux-foundation.org
Tim,
Thanks, I filed this as:
<rdar://problem/15331639> cups.org: Regression in auto-debug logging
That said, your proposed fix actually isn't safe either - the Fortify strcpy stuff in glibc effectively converts the strcpy to a strlcpy, so the code will break if you happen to compile using the -D_FORTIFY_SOURCE=2 compiler option.
I will follow up with a memcpy-based fix.
Thanks for reporting this!
(and we are 1 electronic signature away from getting cups.org's bug tracker back online...)
On Oct 25, 2013, at 11:36 AM, Tim Waugh <twaugh@redhat.com> wrote:
> Hi,
>
> While playing around with a logging enhancement¹ I discovered a bug in
> the job history code. It was introduced some time after the public
> source repository was taken off-line, so I don't know what the
> motivation for the change was.
>
> A cups_joblog_t declares 'char message[1]' for the message, and is
> allocated with enough storage for the intended message. However, the
> message is copied in with strlcpy, with a limit of
> sizeof(cups_joblog_t->message). As a result, the message is severely(!)
> truncated.
>
> The fix is to undo the change as attached.
>
> Tim.
> */
>
> ¹ http://cyberelk.net/tim/2013/10/25/cups-adding-support-for-system-journal/
> <cups-jobhistory.patch>_______________________________________________
> Printing-architecture mailing list
> Printing-architecture@lists.linux-foundation.org
> https://lists.linuxfoundation.org/mailman/listinfo/printing-architecture
_________________________________________________________
Michael Sweet, Senior Printing System Engineer, PWG Chair
^ permalink raw reply [flat|nested] 4+ messages in thread
* Re: [Printing-architecture] [patch] cups-1.7.0: job history fix
2013-10-28 15:30 ` Michael Sweet
@ 2013-10-28 15:35 ` Michael Sweet
2013-10-28 16:33 ` Tim Waugh
0 siblings, 1 reply; 4+ messages in thread
From: Michael Sweet @ 2013-10-28 15:35 UTC (permalink / raw)
To: Tim Waugh; +Cc: printing-architecture@lists.linux-foundation.org
[-- Attachment #1: Type: text/plain, Size: 22 bytes --]
and here is the fix:
[-- Attachment #2: rdar15331639.patch --]
[-- Type: application/octet-stream, Size: 677 bytes --]
Index: scheduler/log.c
===================================================================
--- scheduler/log.c (revision 11365)
+++ scheduler/log.c (working copy)
@@ -541,12 +541,13 @@
*/
cupsd_joblog_t *temp; /* Copy of log message */
+ size_t log_len = strlen(log_line);
+ /* Length of log message */
-
- if ((temp = malloc(sizeof(cupsd_joblog_t) + strlen(log_line))) != NULL)
+ if ((temp = malloc(sizeof(cupsd_joblog_t) + log_len)) != NULL)
{
temp->time = time(NULL);
- strlcpy(temp->message, log_line, sizeof(temp->message));
+ memcpy(temp->message, log_line, log_len + 1);
}
if (!job->history)
[-- Attachment #3: Type: text/plain, Size: 2126 bytes --]
On Oct 28, 2013, at 11:30 AM, Michael Sweet <msweet@apple.com> wrote:
> Tim,
>
> Thanks, I filed this as:
>
> <rdar://problem/15331639> cups.org: Regression in auto-debug logging
>
> That said, your proposed fix actually isn't safe either - the Fortify strcpy stuff in glibc effectively converts the strcpy to a strlcpy, so the code will break if you happen to compile using the -D_FORTIFY_SOURCE=2 compiler option.
>
> I will follow up with a memcpy-based fix.
>
> Thanks for reporting this!
>
> (and we are 1 electronic signature away from getting cups.org's bug tracker back online...)
>
>
> On Oct 25, 2013, at 11:36 AM, Tim Waugh <twaugh@redhat.com> wrote:
>
>> Hi,
>>
>> While playing around with a logging enhancement¹ I discovered a bug in
>> the job history code. It was introduced some time after the public
>> source repository was taken off-line, so I don't know what the
>> motivation for the change was.
>>
>> A cups_joblog_t declares 'char message[1]' for the message, and is
>> allocated with enough storage for the intended message. However, the
>> message is copied in with strlcpy, with a limit of
>> sizeof(cups_joblog_t->message). As a result, the message is severely(!)
>> truncated.
>>
>> The fix is to undo the change as attached.
>>
>> Tim.
>> */
>>
>> ¹ http://cyberelk.net/tim/2013/10/25/cups-adding-support-for-system-journal/
>> <cups-jobhistory.patch>_______________________________________________
>> Printing-architecture mailing list
>> Printing-architecture@lists.linux-foundation.org
>> https://lists.linuxfoundation.org/mailman/listinfo/printing-architecture
>
> _________________________________________________________
> Michael Sweet, Senior Printing System Engineer, PWG Chair
>
> _______________________________________________
> Printing-architecture mailing list
> Printing-architecture@lists.linux-foundation.org
> https://lists.linuxfoundation.org/mailman/listinfo/printing-architecture
_________________________________________________________
Michael Sweet, Senior Printing System Engineer, PWG Chair
^ permalink raw reply [flat|nested] 4+ messages in thread
* Re: [Printing-architecture] [patch] cups-1.7.0: job history fix
2013-10-28 15:35 ` Michael Sweet
@ 2013-10-28 16:33 ` Tim Waugh
0 siblings, 0 replies; 4+ messages in thread
From: Tim Waugh @ 2013-10-28 16:33 UTC (permalink / raw)
To: Michael Sweet; +Cc: printing-architecture@lists.linux-foundation.org
[-- Attachment #1: Type: text/plain, Size: 106 bytes --]
On Mon, 2013-10-28 at 11:35 -0400, Michael Sweet wrote:
> and here is the fix:
Thanks.
Tim.
*/
[-- Attachment #2: This is a digitally signed message part --]
[-- Type: application/pgp-signature, Size: 482 bytes --]
^ permalink raw reply [flat|nested] 4+ messages in thread
end of thread, other threads:[~2013-10-28 16:33 UTC | newest]
Thread overview: 4+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2013-10-25 15:36 [Printing-architecture] [patch] cups-1.7.0: job history fix Tim Waugh
2013-10-28 15:30 ` Michael Sweet
2013-10-28 15:35 ` Michael Sweet
2013-10-28 16:33 ` Tim Waugh
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.