Bug 1676 - lpd programs subject to buffer overflows
Summary: lpd programs subject to buffer overflows
Alias: None
Product: Red Hat Linux
Classification: Retired
Component: lpr
Version: 5.2
Hardware: i386
OS: Linux
Target Milestone: ---
Assignee: David Lawrence
QA Contact:
URL: http://trillian.cosmic.ucar.edu/lpr-0...
Depends On:
TreeView+ depends on / blocked
Reported: 1999-03-22 19:25 UTC by dhunt
Modified: 2008-05-01 15:37 UTC (History)
1 user (show)

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Clone Of:
Last Closed: 1999-03-22 22:04:53 UTC

Attachments (Terms of Use)

Description dhunt 1999-03-22 19:25:10 UTC
Under redhat 5.1, I found and fixed the following bug, which
I emailed to bugs@redhat.com.  Here is my bug description:

Hello:  I have found a bug in lpd-0.31.  It seems that when
linux as a print server on a PC and you direct
another machine running lpd (I have tried this with another
PC and a DEC alpha OSF system) to send its print jobs to
your print
server, the jobs arrive in the queue, but are not printed.

When subsequently a local user prints a job, both the local
and the
previously queued remote job print.  I tracked this down to
buffer for file names of remote jobs which was too small.
This caused
the child spawned by lpd to print the remote job to fail
with a
segmentation violation.  This happened after the jobs were
received in
the queue but before they were printed.

When a new local print job was received, this would flush
the queue, so all jobs would be printed.  The local job
followed a path
through the code which did not have the bug.

This bug still appears in the code for lpr-0.33-1.i386.rpm.

I reference a patch to lpr-0.33-1.i386.rpm which fixes the
problem (small buffer sizes which are used to store queue
file names).  Please consider adding this patch to further
lpr releases (or at least tell me why you don't if you
decide not to).  I found this problem when using an upgraded
version of named (version 8).  Using this version of named,
the file input file names from a remote lpd seem to include
the full DNS name of the remote server, thus pushing them
over the 40 byte buffer size used in lpd.

Comment 1 Bill Nottingham 1999-03-22 20:56:59 UTC
can you mail me the patch? That webserver doesn't seem to
be responding...

Comment 2 Bill Nottingham 1999-03-22 22:04:59 UTC
Fixed in lpr-0.35-1.

Note You need to log in before you can comment on or make changes to this bug.