Bug 1676 - lpd programs subject to buffer overflows
lpd programs subject to buffer overflows
Product: Red Hat Linux
Classification: Retired
Component: lpr (Show other bugs)
i386 Linux
medium Severity medium
: ---
: ---
Assigned To: David Lawrence
Depends On:
  Show dependency treegraph
Reported: 1999-03-22 14:25 EST by dhunt
Modified: 2008-05-01 11:37 EDT (History)
1 user (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Last Closed: 1999-03-22 17:04:53 EST
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---

Attachments (Terms of Use)

  None (edit)
Description dhunt 1999-03-22 14:25:10 EST
Under redhat 5.1, I found and fixed the following bug, which
I emailed to bugs@redhat.com.  Here is my bug description:

Hello:  I have found a bug in lpd-0.31.  It seems that when
linux as a print server on a PC and you direct
another machine running lpd (I have tried this with another
PC and a DEC alpha OSF system) to send its print jobs to
your print
server, the jobs arrive in the queue, but are not printed.

When subsequently a local user prints a job, both the local
and the
previously queued remote job print.  I tracked this down to
buffer for file names of remote jobs which was too small.
This caused
the child spawned by lpd to print the remote job to fail
with a
segmentation violation.  This happened after the jobs were
received in
the queue but before they were printed.

When a new local print job was received, this would flush
the queue, so all jobs would be printed.  The local job
followed a path
through the code which did not have the bug.

This bug still appears in the code for lpr-0.33-1.i386.rpm.

I reference a patch to lpr-0.33-1.i386.rpm which fixes the
problem (small buffer sizes which are used to store queue
file names).  Please consider adding this patch to further
lpr releases (or at least tell me why you don't if you
decide not to).  I found this problem when using an upgraded
version of named (version 8).  Using this version of named,
the file input file names from a remote lpd seem to include
the full DNS name of the remote server, thus pushing them
over the 40 byte buffer size used in lpd.
Comment 1 Bill Nottingham 1999-03-22 15:56:59 EST
can you mail me the patch? That webserver doesn't seem to
be responding...
Comment 2 Bill Nottingham 1999-03-22 17:04:59 EST
Fixed in lpr-0.35-1.

Note You need to log in before you can comment on or make changes to this bug.