|
 |
8d5fa4 |
Fix for CVE-2020-10001, which is a bug in the CUPS ippReadIO function when it
|
|
|
8d5fa4 |
reads tagged string values (nameWithLanguage and textWithLanguage). The
|
|
|
8d5fa4 |
previous code verified that the length of the sub-strings (language identifier
|
|
|
8d5fa4 |
and name/text value) did not exceed the size of the allocated buffer (1 byte
|
|
|
8d5fa4 |
larger than the maximum IPP value size of 32767 bytes), but did not validate
|
|
|
8d5fa4 |
against the length of the actual IPP value.
|
|
|
8d5fa4 |
|
|
|
8d5fa4 |
The issues introduced by this vulnerability include:
|
|
|
8d5fa4 |
|
|
|
8d5fa4 |
- Potential information disclosure by copying uninitialized areas of memory into
|
|
|
8d5fa4 |
an IPP string value.
|
|
|
8d5fa4 |
- Potential Denial of Service by supplying/using invalid string values when
|
|
|
8d5fa4 |
strict validation has been disabled by the system administrator.
|
|
|
8d5fa4 |
|
|
|
8d5fa4 |
This change ensures that:
|
|
|
8d5fa4 |
|
|
|
8d5fa4 |
1. The language identifier does not extend beyond the end of the IPP value.
|
|
|
8d5fa4 |
2. The length of the name/text string is within the IPP value.
|
|
|
8d5fa4 |
3. The name/text string is within the IPP value.
|
|
|
8d5fa4 |
|
|
|
8d5fa4 |
diff --git a/cups/ipp.c b/cups/ipp.c
|
|
|
8d5fa4 |
index 3d529346c..adbb26fba 100644
|
|
|
8d5fa4 |
--- a/cups/ipp.c
|
|
|
8d5fa4 |
+++ b/cups/ipp.c
|
|
|
8d5fa4 |
@@ -2866,7 +2866,8 @@ ippReadIO(void *src, /* I - Data source */
|
|
|
8d5fa4 |
unsigned char *buffer, /* Data buffer */
|
|
|
8d5fa4 |
string[IPP_MAX_TEXT],
|
|
|
8d5fa4 |
/* Small string buffer */
|
|
|
8d5fa4 |
- *bufptr; /* Pointer into buffer */
|
|
|
8d5fa4 |
+ *bufptr, /* Pointer into buffer */
|
|
|
8d5fa4 |
+ *bufend; /* End of buffer */
|
|
|
8d5fa4 |
ipp_attribute_t *attr; /* Current attribute */
|
|
|
8d5fa4 |
ipp_tag_t tag; /* Current tag */
|
|
|
8d5fa4 |
ipp_tag_t value_tag; /* Current value tag */
|
|
|
8d5fa4 |
@@ -3441,6 +3442,7 @@ ippReadIO(void *src, /* I - Data source */
|
|
|
8d5fa4 |
}
|
|
|
8d5fa4 |
|
|
|
8d5fa4 |
bufptr = buffer;
|
|
|
8d5fa4 |
+ bufend = buffer + n;
|
|
|
8d5fa4 |
|
|
|
8d5fa4 |
/*
|
|
|
8d5fa4 |
* text-with-language and name-with-language are composite
|
|
|
8d5fa4 |
@@ -3454,7 +3456,7 @@ ippReadIO(void *src, /* I - Data source */
|
|
|
8d5fa4 |
|
|
|
8d5fa4 |
n = (bufptr[0] << 8) | bufptr[1];
|
|
|
8d5fa4 |
|
|
|
8d5fa4 |
- if ((bufptr + 2 + n) >= (buffer + IPP_BUF_SIZE) || n >= (int)sizeof(string))
|
|
|
8d5fa4 |
+ if ((bufptr + 2 + n + 2) > bufend || n >= (int)sizeof(string))
|
|
|
8d5fa4 |
{
|
|
|
8d5fa4 |
_cupsSetError(IPP_STATUS_ERROR_INTERNAL,
|
|
|
8d5fa4 |
_("IPP language length overflows value."), 1);
|
|
|
8d5fa4 |
@@ -3481,7 +3483,7 @@ ippReadIO(void *src, /* I - Data source */
|
|
|
8d5fa4 |
bufptr += 2 + n;
|
|
|
8d5fa4 |
n = (bufptr[0] << 8) | bufptr[1];
|
|
|
8d5fa4 |
|
|
|
8d5fa4 |
- if ((bufptr + 2 + n) >= (buffer + IPP_BUF_SIZE))
|
|
|
8d5fa4 |
+ if ((bufptr + 2 + n) > bufend)
|
|
|
8d5fa4 |
{
|
|
|
8d5fa4 |
_cupsSetError(IPP_STATUS_ERROR_INTERNAL,
|
|
|
8d5fa4 |
_("IPP string length overflows value."), 1);
|
|
|
8d5fa4 |
|