Bug 203784 - /usr/sbin/cupsd crashes with SEGV in strcmp()
Summary: /usr/sbin/cupsd crashes with SEGV in strcmp()
Keywords:
Status: CLOSED RAWHIDE
Alias: None
Product: Fedora
Classification: Fedora
Component: cups
Version: rawhide
Hardware: All
OS: Linux
medium
medium
Target Milestone: ---
Assignee: Tim Waugh
QA Contact:
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2006-08-23 18:27 UTC by Valdis Kletnieks
Modified: 2007-11-30 22:11 UTC (History)
1 user (show)

Fixed In Version: 1.2.2-15
Doc Type: Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed: 2006-08-24 09:57:49 UTC
Type: ---
Embargoed:

Attachments (Terms of Use)

Description Valdis Kletnieks 2006-08-23 18:27:44 UTC 
Description of problem:
After installing cups 1.2.2-14, running 'lpr something.ps' causes the cupsd
process to crash with a SEGV in strcmp().

Version-Release number of selected component (if applicable):
cups-1.2.2-14

How reproducible:
lpr a file.


Steps to Reproduce:
1.
2.
3.
  
Actual results:


Expected results:


Additional info:
Traceback reported by a gdb attached to cupsd when it crashed:

Program received signal SIGSEGV, Segmentation fault.
[Switching to Thread -1215527216 (LWP 3425)]
0xb7c8bf8a in strcmp () from /lib/libc.so.6
(gdb) where
#0  0xb7c8bf8a in strcmp () from /lib/libc.so.6
#1  0x8002ea01 in add_job (con=0x80091150, uri=0x80090960, dprinter=0xbf987300,
filetype=0x80061bb8) at ipp.c:1658
#2  0x80030368 in print_job (con=0x80091150, uri=0x80090960) at ipp.c:7127
#3  0x80032be6 in cupsdProcessIPPRequest (con=0x80091150) at ipp.c:470
#4  0x8001112b in cupsdReadClient (con=0x80091150) at client.c:1917
#5  0x800201de in main (argc=1, argv=0xbf996864) at main.c:938
(gdb) up
#1  0x8002ea01 in add_job (con=0x80091150, uri=0x80090960, dprinter=0xbf987300,
filetype=0x80061bb8) at ipp.c:1658
1658          if ((strcmp(userheader, Classification) == 0)
(gdb) print *uri
$1 = {next = 0x800710e8, group_tag = IPP_TAG_OPERATION, value_tag = IPP_TAG_URI,
name = 0x80073750 "printer-uri", num_values = 1, values = {{
      integer = 0, boolean = 0 '\0', date =
"\000\000\000\000x\020\a\200\000\000", resolution = {xres = 0, yres =
-2147020680, units = 0}, 
      range = {lower = 0, upper = -2147020680}, string = {charset = 0x0, text =
0x80071078 "ipp://localhost/printers/hp4300"}, unknown = {
        length = 0, data = 0x80071078}, collection = 0x0}}}
(gdb) print *filetype
$2 = {rules = 0x80061be0, super = "application\000\000\000\000", 
  type = "postscript\000\000\000\000\000\000i", '\0' <repeats 15 times>,
"H\034\006\200\002", '\0' <repeats 83 times>,
"i\000\000\000\000\000\000\000°\034\006\200à\033\006\200\000\000\000\000\003",
'\0' <repeats 15 times>, "*.ai", '\0' <repeats 64 times>,
"i\000\000\000H\034\006\200\030\035\006\200à\033\006\200\000\000\000\000\003\000\000\000\000\000\000\000\000\000\000"}
(gdb) print *con
$3 = {http = {fd = 9, blocking = 0, error = 0, activity = 1156357775, state =
HTTP_POST_SEND, status = HTTP_OK, version = HTTP_1_1, 
    keep_alive = HTTP_KEEPALIVE_ON, _hostaddr = {sin_family = 0, sin_port = 0,
sin_addr = {s_addr = 0}, 
      sin_zero = "\000\000\000\000\000\000\000"}, hostname = "localhost", '\0'
<repeats 246 times>, fields = {'\0' <repeats 255 times>, 
      '\0' <repeats 255 times>, '\0' <repeats 255 times>, '\0' <repeats 255
times>, '\0' <repeats 255 times>, '\0' <repeats 255 times>, 
      "425564", '\0' <repeats 249 times>, '\0' <repeats 255 times>, '\0'
<repeats 255 times>, '\0' <repeats 255 times>, 
      "application/ipp", '\0' <repeats 240 times>, '\0' <repeats 255 times>,
'\0' <repeats 255 times>, 
      "/var/run/cups/cups.sock", '\0' <repeats 232 times>, '\0' <repeats 255
times> <repeats 11 times>, 
      "CUPS/1.2.2", '\0' <repeats 245 times>, '\0' <repeats 255 times>}, data =
0x0, data_encoding = HTTP_ENCODE_LENGTH, 
    _data_remaining = 0, used = 0, 
    buffer =
"\003one\003e\003e\003\003one\003e\003B\000\000\000\004none\003e\003\003\003b-sheets\000\004noneB\000\000\000\004none\003e\003\004noneB\000\000\000\004none\003e\003\003\000\000\004none\003e\003\000\000\004none\003e\003\003\004none\003e\003eets\000\004noneB\000\000\000\004none\003e\003\003m\002B\000\njob-sheets\000\004noneB\000\000\000\004none\003e\003eB\000\000\000\004none\003e\003\003none\003e\003\njob-sheets\000\004noneB\000\000"...,
auth_type = 0, md5_state = {count = {0, 0}, abcd = {0, 0, 0, 0}, buf = '\0'
<repeats 63 times>}, 
    nonce = '\0' <repeats 255 times>, nonce_count = 0, tls = 0x0, encryption =
HTTP_ENCRYPT_IF_REQUESTED, input_set = 0x80071f28, 
    expect = HTTP_CONTINUE, cookie = 0x0, authstring = '\0' <repeats 255 times>,
userpass = '\0' <repeats 255 times>, digest_tries = 0, 
    data_remaining = 0, hostaddr = 0x800945a8, addrlist = 0x0, wbuffer = '\0'
<repeats 2047 times>, wused = 0}, request = 0x0, 
  response = 0x80071220, best = 0x80067cc0, start = 1156357775, operation =
HTTP_POST, bytes = 434703, username = '\0' <repeats 32 times>, 
  password = '\0' <repeats 32 times>, uri = "/printers/hp4300", '\0' <repeats
1007 times>, filename = 0x80071200 "/var/spool/cups/00000000", 
  command = 0x0, options = 0x0, file = -1, file_ready = 0, pipe_pid = 0,
sent_header = 0, got_fields = 0, field_col = 0, 
  language = 0x80071f00, auto_ssl = 0, clientaddr = {addr = {sa_family = 1,
sa_data = '\0' <repeats 13 times>}, ipv4 = {sin_family = 1, 
      sin_port = 0, sin_addr = {s_addr = 0}, sin_zero =
"\000\000\000\000\000\000\000"}, ipv6 = {sin6_family = 1, sin6_port = 0, 
      sin6_flowinfo = 0, sin6_addr = {in6_u = {u6_addr8 = '\0' <repeats 15
times>, u6_addr16 = {0, 0, 0, 0, 0, 0, 0, 0}, u6_addr32 = {0, 0, 
            0, 0}}}, sin6_scope_id = 0}, un = {sun_family = 1, sun_path = '\0'
<repeats 107 times>}, 
    pad = "\001", '\0' <repeats 254 times>}, servername = "localhost", '\0'
<repeats 246 times>, serverport = 631, 
  scon = 0x800766d8 "UNKNOWN SL", auid = 0}
(gdb) print **dprinter
$5 = {uri = 0x800768d8 "ipp://turing-police.cc.vt.edu:631/printers/hp4300",
hostname = 0x8005d4b8 "turing-police.cc.vt.edu", 
  name = 0x80072310 "hp4300", location = 0x800758b0 "ISB", make_model =
0x80072c20 "Generic postscript printer", 
  info = 0x80072398 "Postscript Printer", op_policy = 0x800603c0 "default",
error_policy = 0x80060eb8 "stop-printer", 
  op_policy_ptr = 0x80066a70, shared = 0, accepting = 1, in_implicit_class = 0,
state = IPP_PRINTER_STOPPED, 
  state_message = "Paused", '\0' <repeats 1017 times>, num_reasons = 0, reasons
= {0x0 <repeats 16 times>}, state_time = 1152905285, 
  job_sheets = {0x80060e98 "none", 0x80060e98 "none"}, type = 4180, browse_attrs
= 0x80076930 "job-sheets=none,none lease-duration=300", 
  browse_expire = 0, browse_time = 0, device_uri = 0x80072148
"ipp://aishp4300-1.cc.vt.edu", port_monitor = 0x0, raw = 0, remote = 0, 
  filetype = 0x80075880, filetypes = 0x8007a4a0, job = 0x0, attrs = 0x800751b8,
num_printers = 0, last_printer = 0, printers = 0x0, 
  quota_period = 0, page_limit = 0, k_limit = 0, quotas = 0x0, deny_users = 0,
num_users = 0, users = 0x0, num_history = 1, 
  history = 0x80072368, sequence_number = 1, num_options = 0, options = 0x0}
Comment 1 Valdis Kletnieks 2006-08-23 19:42:39 UTC 
It's possible that this is actually a glibc issue - yum updated glibc at the
same time, and I'm seeing memory overlay issues in another application as well.
 Things were working OK with 2.4.90-21, I'm starting to suspect this:

* Tue Aug 22 2006 Jakub Jelinek <jakub> 2.4.90-23
- malloc fixes, especially for 32-bit arches (#202309)

as a possible culprit.
Comment 2 Horst H. von Brand 2006-08-23 21:09:59 UTC 
I also see cups crashing here, both on i386 and x86_64.
Comment 3 Tim Waugh 2006-08-24 09:57:49 UTC 
Fixed in cups-1.2.2-15.  Thanks for the report!
Note You need to log in before you can comment on or make changes to this bug.