|
 |
e33d6f |
From 2c030c7a06e0c2b8227c7e85f5c58dfb339731d0 Mon Sep 17 00:00:00 2001
|
|
|
e33d6f |
From: Michael R Sweet <michael.r.sweet@gmail.com>
|
|
|
e33d6f |
Date: Thu, 15 Aug 2019 14:06:47 -0400
|
|
|
e33d6f |
Subject: [PATCH] Multiple security/disclosure issues:
|
|
|
e33d6f |
|
|
|
e33d6f |
- CVE-2019-8696 and CVE-2019-8675: Fixed SNMP buffer overflows (rdar://51685251)
|
|
|
e33d6f |
- Fixed IPP buffer overflow (rdar://50035411)
|
|
|
e33d6f |
- Fixed memory disclosure issue in the scheduler (rdar://51373853)
|
|
|
e33d6f |
- Fixed DoS issues in the scheduler (rdar://51373929)
|
|
|
e33d6f |
|
|
|
e33d6f |
diff --git a/cups/http.c b/cups/http.c
|
|
|
e33d6f |
index 266a15791..fbb1bf13c 100644
|
|
|
e33d6f |
--- a/cups/http.c
|
|
|
e33d6f |
+++ b/cups/http.c
|
|
|
e33d6f |
@@ -1860,7 +1860,7 @@ httpPrintf(http_t *http, /* I - HTTP connection */
|
|
|
e33d6f |
...) /* I - Additional args as needed */
|
|
|
e33d6f |
{
|
|
|
e33d6f |
ssize_t bytes; /* Number of bytes to write */
|
|
|
e33d6f |
- char buf[16384]; /* Buffer for formatted string */
|
|
|
e33d6f |
+ char buf[65536]; /* Buffer for formatted string */
|
|
|
e33d6f |
va_list ap; /* Variable argument pointer */
|
|
|
e33d6f |
|
|
|
e33d6f |
|
|
|
e33d6f |
@@ -1872,7 +1872,12 @@ httpPrintf(http_t *http, /* I - HTTP connection */
|
|
|
e33d6f |
|
|
|
e33d6f |
DEBUG_printf(("3httpPrintf: (" CUPS_LLFMT " bytes) %s", CUPS_LLCAST bytes, buf));
|
|
|
e33d6f |
|
|
|
e33d6f |
- if (http->data_encoding == HTTP_ENCODING_FIELDS)
|
|
|
e33d6f |
+ if (bytes > (ssize_t)(sizeof(buf) - 1))
|
|
|
e33d6f |
+ {
|
|
|
e33d6f |
+ http->error = ENOMEM;
|
|
|
e33d6f |
+ return (-1);
|
|
|
e33d6f |
+ }
|
|
|
e33d6f |
+ else if (http->data_encoding == HTTP_ENCODING_FIELDS)
|
|
|
e33d6f |
return ((int)httpWrite2(http, buf, (size_t)bytes));
|
|
|
e33d6f |
else
|
|
|
e33d6f |
{
|
|
|
e33d6f |
diff --git a/cups/ipp.c b/cups/ipp.c
|
|
|
e33d6f |
index 6fae52a00..1bd59cef1 100644
|
|
|
e33d6f |
--- a/cups/ipp.c
|
|
|
e33d6f |
+++ b/cups/ipp.c
|
|
|
e33d6f |
@@ -4550,9 +4550,7 @@ ippSetValueTag(
|
|
|
e33d6f |
break;
|
|
|
e33d6f |
|
|
|
e33d6f |
case IPP_TAG_NAME :
|
|
|
e33d6f |
- if (temp_tag != IPP_TAG_KEYWORD && temp_tag != IPP_TAG_URI &&
|
|
|
e33d6f |
- temp_tag != IPP_TAG_URISCHEME && temp_tag != IPP_TAG_LANGUAGE &&
|
|
|
e33d6f |
- temp_tag != IPP_TAG_MIMETYPE)
|
|
|
e33d6f |
+ if (temp_tag != IPP_TAG_KEYWORD)
|
|
|
e33d6f |
return (0);
|
|
|
e33d6f |
|
|
|
e33d6f |
(*attr)->value_tag = (ipp_tag_t)(IPP_TAG_NAME | ((*attr)->value_tag & IPP_TAG_CUPS_CONST));
|
|
|
e33d6f |
@@ -4560,10 +4558,7 @@ ippSetValueTag(
|
|
|
e33d6f |
|
|
|
e33d6f |
case IPP_TAG_NAMELANG :
|
|
|
e33d6f |
case IPP_TAG_TEXTLANG :
|
|
|
e33d6f |
- if (value_tag == IPP_TAG_NAMELANG &&
|
|
|
e33d6f |
- (temp_tag != IPP_TAG_NAME && temp_tag != IPP_TAG_KEYWORD &&
|
|
|
e33d6f |
- temp_tag != IPP_TAG_URI && temp_tag != IPP_TAG_URISCHEME &&
|
|
|
e33d6f |
- temp_tag != IPP_TAG_LANGUAGE && temp_tag != IPP_TAG_MIMETYPE))
|
|
|
e33d6f |
+ if (value_tag == IPP_TAG_NAMELANG && (temp_tag != IPP_TAG_NAME && temp_tag != IPP_TAG_KEYWORD))
|
|
|
e33d6f |
return (0);
|
|
|
e33d6f |
|
|
|
e33d6f |
if (value_tag == IPP_TAG_TEXTLANG && temp_tag != IPP_TAG_TEXT)
|
|
|
e33d6f |
diff --git a/cups/snmp.c b/cups/snmp.c
|
|
|
e33d6f |
index 5cefee454..1d9da01f2 100644
|
|
|
e33d6f |
--- a/cups/snmp.c
|
|
|
e33d6f |
+++ b/cups/snmp.c
|
|
|
e33d6f |
@@ -1233,6 +1233,9 @@ asn1_get_integer(
|
|
|
e33d6f |
int value; /* Integer value */
|
|
|
e33d6f |
|
|
|
e33d6f |
|
|
|
e33d6f |
+ if (*buffer >= bufend)
|
|
|
e33d6f |
+ return (0);
|
|
|
e33d6f |
+
|
|
|
e33d6f |
if (length > sizeof(int))
|
|
|
e33d6f |
{
|
|
|
e33d6f |
(*buffer) += length;
|
|
|
e33d6f |
@@ -1259,6 +1262,9 @@ asn1_get_length(unsigned char **buffer, /* IO - Pointer in buffer */
|
|
|
e33d6f |
unsigned length; /* Length */
|
|
|
e33d6f |
|
|
|
e33d6f |
|
|
|
e33d6f |
+ if (*buffer >= bufend)
|
|
|
e33d6f |
+ return (0);
|
|
|
e33d6f |
+
|
|
|
e33d6f |
length = **buffer;
|
|
|
e33d6f |
(*buffer) ++;
|
|
|
e33d6f |
|
|
|
e33d6f |
@@ -1301,6 +1307,9 @@ asn1_get_oid(
|
|
|
e33d6f |
int number; /* OID number */
|
|
|
e33d6f |
|
|
|
e33d6f |
|
|
|
e33d6f |
+ if (*buffer >= bufend)
|
|
|
e33d6f |
+ return (0);
|
|
|
e33d6f |
+
|
|
|
e33d6f |
valend = *buffer + length;
|
|
|
e33d6f |
oidptr = oid;
|
|
|
e33d6f |
oidend = oid + oidsize - 1;
|
|
|
e33d6f |
@@ -1349,9 +1358,12 @@ asn1_get_packed(
|
|
|
e33d6f |
int value; /* Value */
|
|
|
e33d6f |
|
|
|
e33d6f |
|
|
|
e33d6f |
+ if (*buffer >= bufend)
|
|
|
e33d6f |
+ return (0);
|
|
|
e33d6f |
+
|
|
|
e33d6f |
value = 0;
|
|
|
e33d6f |
|
|
|
e33d6f |
- while ((**buffer & 128) && *buffer < bufend)
|
|
|
e33d6f |
+ while (*buffer < bufend && (**buffer & 128))
|
|
|
e33d6f |
{
|
|
|
e33d6f |
value = (value << 7) | (**buffer & 127);
|
|
|
e33d6f |
(*buffer) ++;
|
|
|
e33d6f |
@@ -1379,6 +1391,9 @@ asn1_get_string(
|
|
|
e33d6f |
char *string, /* I - String buffer */
|
|
|
e33d6f |
size_t strsize) /* I - String buffer size */
|
|
|
e33d6f |
{
|
|
|
e33d6f |
+ if (*buffer >= bufend)
|
|
|
e33d6f |
+ return (NULL);
|
|
|
e33d6f |
+
|
|
|
e33d6f |
if (length > (unsigned)(bufend - *buffer))
|
|
|
e33d6f |
length = (unsigned)(bufend - *buffer);
|
|
|
e33d6f |
|
|
|
e33d6f |
@@ -1421,6 +1436,9 @@ asn1_get_type(unsigned char **buffer, /* IO - Pointer in buffer */
|
|
|
e33d6f |
int type; /* Type */
|
|
|
e33d6f |
|
|
|
e33d6f |
|
|
|
e33d6f |
+ if (*buffer >= bufend)
|
|
|
e33d6f |
+ return (0);
|
|
|
e33d6f |
+
|
|
|
e33d6f |
type = **buffer;
|
|
|
e33d6f |
(*buffer) ++;
|
|
|
e33d6f |
|
|
|
e33d6f |
diff --git a/scheduler/client.c b/scheduler/client.c
|
|
|
e33d6f |
index 923a6e67a..f693e7c49 100644
|
|
|
e33d6f |
--- a/scheduler/client.c
|
|
|
e33d6f |
+++ b/scheduler/client.c
|
|
|
e33d6f |
@@ -564,6 +564,17 @@ cupsdReadClient(cupsd_client_t *con) /* I - Client to read from */
|
|
|
e33d6f |
|
|
|
e33d6f |
cupsdLogClient(con, CUPSD_LOG_DEBUG2, "cupsdReadClient: error=%d, used=%d, state=%s, data_encoding=HTTP_ENCODING_%s, data_remaining=" CUPS_LLFMT ", request=%p(%s), file=%d", httpError(con->http), (int)httpGetReady(con->http), httpStateString(httpGetState(con->http)), httpIsChunked(con->http) ? "CHUNKED" : "LENGTH", CUPS_LLCAST httpGetRemaining(con->http), con->request, con->request ? ippStateString(ippGetState(con->request)) : "", con->file);
|
|
|
e33d6f |
|
|
|
e33d6f |
+ if (httpError(con->http) == EPIPE && !httpGetReady(con->http) && recv(httpGetFd(con->http), buf, 1, MSG_PEEK) < 1)
|
|
|
e33d6f |
+ {
|
|
|
e33d6f |
+ /*
|
|
|
e33d6f |
+ * Connection closed...
|
|
|
e33d6f |
+ */
|
|
|
e33d6f |
+
|
|
|
e33d6f |
+ cupsdLogClient(con, CUPSD_LOG_DEBUG, "Closing on EOF.");
|
|
|
e33d6f |
+ cupsdCloseClient(con);
|
|
|
e33d6f |
+ return;
|
|
|
e33d6f |
+ }
|
|
|
e33d6f |
+
|
|
|
e33d6f |
if (httpGetState(con->http) == HTTP_STATE_GET_SEND ||
|
|
|
e33d6f |
httpGetState(con->http) == HTTP_STATE_POST_SEND ||
|
|
|
e33d6f |
httpGetState(con->http) == HTTP_STATE_STATUS)
|
|
|
e33d6f |
@@ -573,17 +584,6 @@ cupsdReadClient(cupsd_client_t *con) /* I - Client to read from */
|
|
|
e33d6f |
* connection and we need to shut it down...
|
|
|
e33d6f |
*/
|
|
|
e33d6f |
|
|
|
e33d6f |
- if (!httpGetReady(con->http) && recv(httpGetFd(con->http), buf, 1, MSG_PEEK) < 1)
|
|
|
e33d6f |
- {
|
|
|
e33d6f |
- /*
|
|
|
e33d6f |
- * Connection closed...
|
|
|
e33d6f |
- */
|
|
|
e33d6f |
-
|
|
|
e33d6f |
- cupsdLogClient(con, CUPSD_LOG_DEBUG, "Closing on EOF.");
|
|
|
e33d6f |
- cupsdCloseClient(con);
|
|
|
e33d6f |
- return;
|
|
|
e33d6f |
- }
|
|
|
e33d6f |
-
|
|
|
e33d6f |
cupsdLogClient(con, CUPSD_LOG_DEBUG, "Closing on unexpected HTTP read state %s.", httpStateString(httpGetState(con->http)));
|
|
|
e33d6f |
cupsdCloseClient(con);
|
|
|
e33d6f |
return;
|
|
|
e33d6f |
@@ -1950,6 +1950,7 @@ cupsdSendError(cupsd_client_t *con, /* I - Connection */
|
|
|
e33d6f |
strlcpy(location, httpGetField(con->http, HTTP_FIELD_LOCATION), sizeof(location));
|
|
|
e33d6f |
|
|
|
e33d6f |
httpClearFields(con->http);
|
|
|
e33d6f |
+ httpClearCookie(con->http);
|
|
|
e33d6f |
|
|
|
e33d6f |
httpSetField(con->http, HTTP_FIELD_LOCATION, location);
|
|
|
e33d6f |
|
|
|
e33d6f |
--
|
|
|
e33d6f |
2.21.0
|
|
|
e33d6f |
|