Andrew Geissler | 90fd73c | 2021-03-05 15:25:55 -0600 | [diff] [blame] | 1 | From efbea1742bd30f842fbbfb87a473e5c84f4162f9 Mon Sep 17 00:00:00 2001 |
| 2 | From: Michael R Sweet <msweet@msweet.org> |
| 3 | Date: Mon, 1 Feb 2021 15:02:32 -0500 |
| 4 | Subject: [PATCH] Fix a buffer (read) overflow in ippReadIO (CVE-2020-10001) |
| 5 | |
| 6 | Upstream-Status: Backport |
| 7 | CVE: CVE-2020-10001 |
| 8 | |
| 9 | Reference to upstream patch: |
| 10 | [https://github.com/OpenPrinting/cups/commit/efbea1742bd30f842fbbfb87a473e5c84f4162f9] |
| 11 | |
| 12 | [SG: Addapted for version 2.3.3] |
| 13 | Signed-off-by: Stefan Ghinea <stefan.ghinea@windriver.com> |
| 14 | --- |
| 15 | CHANGES.md | 2 ++ |
| 16 | cups/ipp.c | 8 +++++--- |
| 17 | 2 files changed, 7 insertions(+), 3 deletions(-) |
| 18 | |
| 19 | diff --git a/CHANGES.md b/CHANGES.md |
| 20 | index df72892..5ca12da 100644 |
| 21 | --- a/CHANGES.md |
| 22 | +++ b/CHANGES.md |
| 23 | @@ -4,6 +4,8 @@ CHANGES - 2.3.3 - 2020-04-24 |
| 24 | Changes in CUPS v2.3.3 |
| 25 | ---------------------- |
| 26 | |
| 27 | +- Security: Fixed a buffer (read) overflow in the `ippReadIO` function |
| 28 | + (CVE-2020-10001) |
| 29 | - CVE-2020-3898: The `ppdOpen` function did not handle invalid UI |
| 30 | constraint. `ppdcSource::get_resolution` function did not handle |
| 31 | invalid resolution strings. |
| 32 | diff --git a/cups/ipp.c b/cups/ipp.c |
| 33 | index 3d52934..adbb26f 100644 |
| 34 | --- a/cups/ipp.c |
| 35 | +++ b/cups/ipp.c |
| 36 | @@ -2866,7 +2866,8 @@ ippReadIO(void *src, /* I - Data source */ |
| 37 | unsigned char *buffer, /* Data buffer */ |
| 38 | string[IPP_MAX_TEXT], |
| 39 | /* Small string buffer */ |
| 40 | - *bufptr; /* Pointer into buffer */ |
| 41 | + *bufptr, /* Pointer into buffer */ |
| 42 | + *bufend; /* End of buffer */ |
| 43 | ipp_attribute_t *attr; /* Current attribute */ |
| 44 | ipp_tag_t tag; /* Current tag */ |
| 45 | ipp_tag_t value_tag; /* Current value tag */ |
| 46 | @@ -3441,6 +3442,7 @@ ippReadIO(void *src, /* I - Data source */ |
| 47 | } |
| 48 | |
| 49 | bufptr = buffer; |
| 50 | + bufend = buffer + n; |
| 51 | |
| 52 | /* |
| 53 | * text-with-language and name-with-language are composite |
| 54 | @@ -3454,7 +3456,7 @@ ippReadIO(void *src, /* I - Data source */ |
| 55 | |
| 56 | n = (bufptr[0] << 8) | bufptr[1]; |
| 57 | |
| 58 | - if ((bufptr + 2 + n) >= (buffer + IPP_BUF_SIZE) || n >= (int)sizeof(string)) |
| 59 | + if ((bufptr + 2 + n + 2) > bufend || n >= (int)sizeof(string)) |
| 60 | { |
| 61 | _cupsSetError(IPP_STATUS_ERROR_INTERNAL, |
| 62 | _("IPP language length overflows value."), 1); |
| 63 | @@ -3481,7 +3483,7 @@ ippReadIO(void *src, /* I - Data source */ |
| 64 | bufptr += 2 + n; |
| 65 | n = (bufptr[0] << 8) | bufptr[1]; |
| 66 | |
| 67 | - if ((bufptr + 2 + n) >= (buffer + IPP_BUF_SIZE)) |
| 68 | + if ((bufptr + 2 + n) > bufend) |
| 69 | { |
| 70 | _cupsSetError(IPP_STATUS_ERROR_INTERNAL, |
| 71 | _("IPP string length overflows value."), 1); |
| 72 | -- |
| 73 | 2.17.1 |
| 74 | |