Openwall Project   /home  Owl  JtR  Pro  crypt  pam_passwdqc  tcb  phpass  scanlogd  popa3d  msulogin  /  Linux  BIND  /  advisories  presentations  /  services  donations  /  wordlists  passwords  /  news  community  lists  wiki  CVSweb  mirrors  signatures
bringing security into open environments
 
Password Recovery Resources on the Net
[<prev] [next>] [<thread-prev] [thread-next>] [month] [year] [list] 
Date: Thu, 20 Nov 2008 03:16:36 +0300
From: Eygene Ryabinkin <rea-sec@...elabs.ru>
To: oss-security@...ts.openwall.com, mike@...ysw.com
Cc: "Steven M. Christey" <coley@...re.org>
Subject: Re: CVE request: CUPS DoS via RSS subscriptions

Josh, Mike, *, good day.

Wed, Nov 19, 2008 at 03:14:43PM -0500, Josh Bressers wrote:
> So from looking at cups 1.3.7 on Fedora 8, here is what I see:
> 
> (gdb) bt
> #0  create_subscription (con=0xb88975c0, uri=0xb889ae00) at ipp.c:5858
> #1  0xb7facba7 in cupsdProcessIPPRequest (con=0xb88975c0) at ipp.c:615
> #2  0xb7f88bfc in cupsdReadClient (con=0xb88975c0) at client.c:2253
> #3  0xb7fc0606 in cupsdDoSelect (timeout=1) at select.c:537
> #4  0xb7f98710 in main (argc=1, argv=0xbfdd6194) at main.c:817
> (gdb) list
> 5853        else if (printer)
> 5854          cupsdLogMessage(CUPSD_LOG_DEBUG,
> 5855                          "Added subscription %d for printer \"%s\"",
> 5856                          sub->id, printer->name);
> 5857        else
> 5858          cupsdLogMessage(CUPSD_LOG_DEBUG, "Added subscription %d for server",
> 5859                          sub->id);
> 5860
> 5861        sub->interval = interval;
> 5862        sub->lease    = lease;
> (gdb) print sub
> $1 = (cupsd_subscription_t *) 0x0
> 
> It would appear to be a NULL pointer dereference.  It seems that this call a
> few lines above the snippet shown above:
>  sub = cupsdAddSubscription(mask, printer, job, recipient, 0);
> 
> will return NULL when the hardcoded value of 100 subscriptions is hit.

Not really hardcoded -- it is settable with the 'MaxSubscriptions'
directive.  I had just reproduced the bug with CUPS 1.3.9 at FreeBSD.
MaxSubscriptions was set to 3 to ease the PoC.  Just repeated
invocations of 'lpr -m <somefile>' were crashing cups daemon
reproducibly.

The attached patch fixes the things for me, but perhaps it needs
some more polishing.  Will try to take a fresh look at this tomorrow.

Mike, please, take a look at this!
-- 
rea

--- scheduler/subscriptions.c.orig	2008-11-20 02:57:17.000000000 +0300
+++ scheduler/subscriptions.c	2008-11-20 03:02:06.000000000 +0300
@@ -728,6 +728,13 @@
       {
         sub = cupsdAddSubscription(CUPSD_EVENT_NONE, NULL, NULL, NULL,
 	                           atoi(value));
+	if (!sub)
+	{
+          cupsdLogMessage(CUPSD_LOG_ERROR,
+	                  "Unable to add new subscription.  Was parsing line %d of subscriptions.conf.",
+	                  linenum);
+          break;
+	}
       }
       else
       {
--- scheduler/ipp.c.orig	2008-11-20 02:55:59.000000000 +0300
+++ scheduler/ipp.c	2008-11-20 02:56:03.000000000 +0300
@@ -2121,6 +2121,14 @@
 
     sub = cupsdAddSubscription(mask, cupsdFindDest(job->dest), job, recipient,
                                0);
+    if (!sub)
+    {
+      cupsdLogMessage(CUPSD_LOG_ERROR,
+		      "Failed to create subscription for job %d", job->id);
+      send_ipp_status(con, IPP_TOO_MANY_SUBSCRIPTIONS,
+                      _("Unable to add new subscription"));
+      return;
+    }
 
     sub->interval = interval;
 
@@ -5591,6 +5599,14 @@
       job = NULL;
 
     sub = cupsdAddSubscription(mask, printer, job, recipient, 0);
+    if (!sub)
+    {
+      cupsdLogMessage(CUPSD_LOG_ERROR,
+		      "Failed to create subscription for job %d", job->id);
+      send_ipp_status(con, IPP_TOO_MANY_SUBSCRIPTIONS,
+                      _("Unable to add new subscription"));
+      return;
+    }
 
     if (job)
       cupsdLogMessage(CUPSD_LOG_DEBUG, "Added subscription %d for job %d",

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Hosted by DataForce ISP - Powered by Openwall GNU/*/Linux