Bug 436919 - eggcups segfaults if remote printer hostname contains _ character
eggcups segfaults if remote printer hostname contains _ character
Product: Red Hat Enterprise Linux 5
Classification: Red Hat
Component: desktop-printing (Show other bugs)
All Linux
low Severity low
: rc
: ---
Assigned To: Tim Waugh
: Patch
Depends On:
  Show dependency treegraph
Reported: 2008-03-11 01:27 EDT by Andrew Ryan
Modified: 2013-04-12 15:35 EDT (History)
2 users (show)

See Also:
Fixed In Version: RHBA-2008-0530
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Last Closed: 2008-06-12 05:06:42 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---

Attachments (Terms of Use)
add additional checks to xmlParseURI result (468 bytes, patch)
2008-03-11 01:27 EDT, David Robinson
no flags Details | Diff

  None (edit)
Description David Robinson 2008-03-11 01:27:03 EDT
Description of problem:
eggcups segfaults if remote printer hostname contains _ character, '_'.

Version-Release number of selected component (if applicable):

How reproducible:

Steps to Reproduce:
Set up a remote printer using ipp to a host that has a _ in the name. For
example: http://SIE_INFO_4/printers/queue1
Sent a print job to the queue and watch eggcups crash with a segfault.

Actual results:
segfault in g_str_hash

Expected results:
No segfault

Additional info:
Here is an example stack trace of a faulting process (rhel4):

(gdb) bt
#0  0x000000308433d8c0 in g_str_hash () from /usr/lib64/libglib-2.0.so.0
#1  0x000000308431c849 in g_hash_table_lookup () from /usr/lib64/libglib-
#2  0x000000000040dc42 in ec_cups_job_monitor_add_job (mon=0x5275a0, poll_now=1,
   host=0x0, printer_path=0x5d43c0 "/printers/Kopierer", job_id=35)
   at ec-cups-job-monitor.c:546
#3  0x000000000040ef41 in ec_job_model_job_sent_remote (model=0x527eb0,
   printer_name=0x5d4020 "remote", local_job_id=20,
   printer_uri=0x5d43c0 "/printers/Kopierer", remote_job_id=35)
   at ec-job-model.c:547
#4  0x0000000000412ef2 in handle_generic_dbus_message (icon=0x5a0460,
   is_session=0, connection=0x0, message=0x5a5690) at ec-tray-icon.c:530
#5  0x0000003085f0fd23 in dbus_connection_dispatch ()
  from /usr/lib64/libdbus-1.so.0
#6  0x000000308ac05cd8 in dbus_g_connection_flush ()
  from /usr/lib64/libdbus-glib-1.so.0
#7  0x00000030843266bd in g_main_context_dispatch ()
  from /usr/lib64/libglib-2.0.so.0
#8  0x0000003084328397 in g_main_context_acquire ()
  from /usr/lib64/libglib-2.0.so.0
#9  0x0000003084328735 in g_main_loop_run () from /usr/lib64/libglib-2.0.so.0
#10 0x0000003088818511 in gtk_main () from /usr/lib64/libgtk-x11-2.0.so.0
#11 0x000000000040b5d9 in main (argc=5, argv=0x5367c0) at main.c:206

From the stack trace above you can see that "host" passed to
ec_cups_job_monitor_add_job() is a null pointer and it is this which gets passed
on to the hash functions and results in the segfault.

"host" is assigned in ec_job_model_job_sent_remote using values that are
returned from xmlParseURI. Its possible for xmlParseURI to return without error
but with a struct that isn't populated correctly.

The attached patch adds additional checks to xmluri.
Comment 1 David Robinson 2008-03-11 01:27:03 EDT
Created attachment 297561 [details]
add additional checks to xmlParseURI result
Comment 3 Phil Knirsch 2008-04-30 11:51:23 EDT
Proposing for RHEL-5.3 and granting Devel ACK.

Read ya, Phil
Comment 4 Phil Knirsch 2008-05-14 10:15:29 EDT
Proposing bug for RHEL-5.3 FasTrack.

Read ya, Phil
Comment 10 errata-xmlrpc 2008-06-12 05:06:42 EDT
An advisory has been issued which should help the problem
described in this bug report. This report is therefore being
closed with a resolution of ERRATA. For more information
on therefore solution and/or where to find the updated files,
please follow the link below. You may reopen this bug report
if the solution does not work for you.


Note You need to log in before you can comment on or make changes to this bug.