File: 69_CVE2007-4351.dpatch

package info (click to toggle)
cupsys 1.2.7-4%2Betch9
  • links: PTS
  • area: main
  • in suites: etch
  • size: 20,436 kB
  • ctags: 10,404
  • sloc: ansic: 97,130; cpp: 49,167; java: 6,199; sh: 4,723; makefile: 1,918; lisp: 232; perl: 145; python: 119; php: 28
file content (216 lines) | stat: -rw-r--r-- 6,307 bytes parent folder | download 
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
 
#! /bin/sh /usr/share/dpatch/dpatch-run
## 69_CVE2007-4351.dpatch by Kenshi Muto <kmuto@debian.org>
##
## All lines beginning with `## DP:' are a description of the patch.
## DP: No description.

@DPATCH@
diff -urNad cupsys-1.2.7~/cups/auth.c cupsys-1.2.7/cups/auth.c
--- cupsys-1.2.7~/cups/auth.c	2007-11-02 12:08:24.089006660 +0000
+++ cupsys-1.2.7/cups/auth.c	2007-11-02 12:08:27.413001119 +0000
@@ -74,7 +74,7 @@
   char		prompt[1024],		/* Prompt for user */
 		realm[HTTP_MAX_VALUE],	/* realm="xyz" string */
 		nonce[HTTP_MAX_VALUE],	/* nonce="xyz" string */
-		encode[512];		/* Encoded username:password */
+		encode[4096];		/* Encoded username:password */
   _cups_globals_t *cg;			/* Global data */
 
 
diff -urNad cupsys-1.2.7~/cups/ipp.c cupsys-1.2.7/cups/ipp.c
--- cupsys-1.2.7~/cups/ipp.c	2007-11-02 12:08:24.541005907 +0000
+++ cupsys-1.2.7/cups/ipp.c	2007-11-02 12:08:27.413001119 +0000
@@ -1023,8 +1023,10 @@
           ipp_t      *ipp)		/* I - IPP data */
 {
   int			n;		/* Length of data */
-  unsigned char		buffer[32768],	/* Data buffer */
-			string[255],	/* Small string buffer */
+  unsigned char		buffer[IPP_MAX_LENGTH],
+					/* Data buffer */
+			string[IPP_MAX_NAME],
+					/* Small string buffer */
 			*bufptr;	/* Pointer into buffer */
   ipp_attribute_t	*attr;		/* Current attribute */
   ipp_tag_t		tag;		/* Current tag */
@@ -1312,6 +1314,12 @@
 	  {
 	    case IPP_TAG_INTEGER :
 	    case IPP_TAG_ENUM :
+		if (n != 4)
+		{
+		  DEBUG_printf(("ippReadIO: bad value length %d!\n", n));
+		  return (IPP_ERROR);
+		}
+
 	        if ((*cb)(src, buffer, 4) < 4)
 		{
 	          DEBUG_puts("ippReadIO: Unable to read integer value!");
@@ -1324,6 +1332,12 @@
                 value->integer = n;
 	        break;
 	    case IPP_TAG_BOOLEAN :
+		if (n != 1)
+		{
+		  DEBUG_printf(("ippReadIO: bad value length %d!\n", n));
+		  return (IPP_ERROR);
+		}
+
 	        if ((*cb)(src, buffer, 1) < 1)
 		{
 	          DEBUG_puts("ippReadIO: Unable to read boolean value!");
@@ -1341,6 +1355,12 @@
 	    case IPP_TAG_CHARSET :
 	    case IPP_TAG_LANGUAGE :
 	    case IPP_TAG_MIMETYPE :
+		if (n >= sizeof(buffer))
+		{
+		  DEBUG_printf(("ippReadIO: bad value length %d!\n", n));
+		  return (IPP_ERROR);
+		}
+
 		if ((*cb)(src, buffer, n) < n)
 		{
 		  DEBUG_puts("ippReadIO: unable to read name!");
@@ -1353,6 +1373,12 @@
 		              value->string.text));
 	        break;
 	    case IPP_TAG_DATE :
+		if (n != 11)
+		{
+		  DEBUG_printf(("ippReadIO: bad value length %d!\n", n));
+		  return (IPP_ERROR);
+		}
+
 	        if ((*cb)(src, value->date, 11) < 11)
 		{
 	          DEBUG_puts("ippReadIO: Unable to date integer value!");
@@ -1360,6 +1386,12 @@
 		}
 	        break;
 	    case IPP_TAG_RESOLUTION :
+		if (n != 9)
+		{
+		  DEBUG_printf(("ippReadIO: bad value length %d!\n", n));
+		  return (IPP_ERROR);
+		}
+
 	        if ((*cb)(src, buffer, 9) < 9)
 		{
 	          DEBUG_puts("ippReadIO: Unable to read resolution value!");
@@ -1376,6 +1408,12 @@
 		    (ipp_res_t)buffer[8];
 	        break;
 	    case IPP_TAG_RANGE :
+		if (n != 8)
+		{
+		  DEBUG_printf(("ippReadIO: bad value length %d!\n", n));
+		  return (IPP_ERROR);
+		}
+
 	        if ((*cb)(src, buffer, 8) < 8)
 		{
 	          DEBUG_puts("ippReadIO: Unable to read range value!");
@@ -1391,7 +1429,7 @@
 	        break;
 	    case IPP_TAG_TEXTLANG :
 	    case IPP_TAG_NAMELANG :
-	        if (n > sizeof(buffer) || n < 4)
+	        if (n >= sizeof(buffer) || n < 4)
 		{
 		  DEBUG_printf(("ippReadIO: bad value length %d!\n", n));
 		  return (IPP_ERROR);
@@ -1417,22 +1455,27 @@
 
 		n = (bufptr[0] << 8) | bufptr[1];
 
-                if (n >= sizeof(string))
+		if ((bufptr + 2 + n) >= (buffer + sizeof(buffer)) ||
+		    n >= sizeof(string))
 		{
-		  memcpy(string, bufptr + 2, sizeof(string) - 1);
-		  string[sizeof(string) - 1] = '\0';
+		  DEBUG_printf(("ippReadIO: bad value length %d!\n", n));
+		  return (IPP_ERROR);
 		}
-		else
-		{
-		  memcpy(string, bufptr + 2, n);
-		  string[n] = '\0';
-                }
+
+		memcpy(string, bufptr + 2, n);
+		string[n] = '\0';
 
 		value->string.charset = _cupsStrAlloc((char *)string);
 
                 bufptr += 2 + n;
 		n = (bufptr[0] << 8) | bufptr[1];
 
+		if ((bufptr + 2 + n) >= (buffer + sizeof(buffer)))
+		{
+		  DEBUG_printf(("ippReadIO: bad value length %d!\n", n));
+		  return (IPP_ERROR);
+		}
+
 		bufptr[2 + n] = '\0';
                 value->string.text = _cupsStrAlloc((char *)bufptr + 2);
 	        break;
@@ -1474,6 +1517,12 @@
 		* we need to carry over...
 		*/
 
+		if (n >= sizeof(buffer))
+		{
+		  DEBUG_printf(("ippReadIO: bad value length %d!\n", n));
+		  return (IPP_ERROR);
+		}
+
 	        if ((*cb)(src, buffer, n) < n)
 		{
 	          DEBUG_puts("ippReadIO: Unable to read member name value!");
@@ -1495,6 +1544,12 @@
 		break;
 
             default : /* Other unsupported values */
+		if (n > sizeof(buffer))
+		{
+		  DEBUG_printf(("ippReadIO: bad value length %d!\n", n));
+		  return (IPP_ERROR);
+		}
+
                 value->unknown.length = n;
 	        if (n > 0)
 		{
@@ -1633,7 +1688,8 @@
 {
   int			i;		/* Looping var */
   int			n;		/* Length of data */
-  unsigned char		buffer[32768],	/* Data buffer */
+  unsigned char		buffer[IPP_MAX_LENGTH + 2],
+					/* Data buffer + length bytes */
 			*bufptr;	/* Pointer into buffer */
   ipp_attribute_t	*attr;		/* Current attribute */
   ipp_value_t		*value;		/* Current value */
@@ -1953,7 +2009,7 @@
 		 /*
 		  * All simple strings consist of the 2-byte length and
 		  * character data without the trailing nul normally found
-		  * in C strings.  Also, strings cannot be longer than 32767
+		  * in C strings.  Also, strings cannot be longer than IPP_MAX_LENGTH
 		  * bytes since the 2-byte length is a signed (twos-complement)
 		  * value.
 		  *
diff -urNad cupsys-1.2.7~/cups/ipp.h cupsys-1.2.7/cups/ipp.h
--- cupsys-1.2.7~/cups/ipp.h	2006-08-24 15:55:42.000000000 +0000
+++ cupsys-1.2.7/cups/ipp.h	2007-11-02 12:08:27.417001112 +0000
@@ -64,7 +64,8 @@
  * Common limits...
  */
 
-#  define IPP_MAX_NAME		256
+#  define IPP_MAX_LENGTH	32767	/* Maximum size of any single value */
+#  define IPP_MAX_NAME		256	/* Maximum length of common name values */
 #  define IPP_MAX_VALUES	8	/* Power-of-2 allocation increment */