509741 – cupsd segfaults on bad job control file

Bug 509741 - cupsd segfaults on bad job control file

Summary: cupsd segfaults on bad job control file

Keywords:
Status:	CLOSED ERRATA
Alias:	None
Product:	Fedora
Classification:	Fedora
Component:	cups
Sub Component:
Version:	11
Hardware:	x86_64
OS:	Linux
Priority:	low
Severity:	high
Target Milestone:	---
Assignee:	Tim Waugh
QA Contact:	Fedora Extras Quality Assurance
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+	depends on / blocked

Reported:	2009-07-05 16:46 UTC by Peter Trenholme
Modified:	2009-07-23 19:08 UTC (History)
CC List:	2 users (show)
Fixed In Version:	1.4-0.rc1.10.fc11
Doc Type:	Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed:	2009-07-23 19:08:53 UTC
Type:	---
Embargoed:
Dependent Products:

Attachments	(Terms of Use)
/var/spool/cups image when segfault occures. (13.06 MB, application/x-bzip2) 2009-07-06 00:48 UTC, Peter Trenholme	no flags	Details
View All

Links
System	ID	Private	Priority	Status	Summary	Last Updated
CUPS Bugs and Features	3253	0	None	None	None	Never

Description Peter Trenholme 2009-07-05 16:46:54 UTC

Description of problem:
cupsd reports a sefault and aborts

Version-Release number of selected component (if applicable):
cupsd from cup package: Version 1.4, release 0.b2.18.fc11

How reproducible:
Every time

Steps to Reproduce:
1. start cupsd 
2.
3.
  
Actual results:
Segmentation fault

Expected results:
daemon running

Additional info:
I don't actually use CUPS, but it was started automatically. Thus the cups.conf file I'm "using" is the default file. I just noticed the problem whilst reviewing my logwatch output. I marked this "high," but others (if this is a common problem) may find it "urgent."

Here's a traceback from running cupsd -f in gdb:

(gdb) bt
#0  0x00007ffff4e8a9d7 in _IO_vfprintf_internal (s=0x7fffffffa560,
    format=<value optimized out>, ap=0x7fffffffa6d0) at vfprintf.c:1580
#1  0x00007ffff4f36c20 in ___vsnprintf_chk (s=0x7fffffffb9c0 "CONTENT_TYPE=\177",
    maxlen=<value optimized out>, flags=1, slen=<value optimized out>,
    format=0x7ffff7ff64bc "CONTENT_TYPE=%s/%s", args=0x7fffffffa6d0) at vsnprintf_chk.c:65
#2  0x00007ffff4f36b5a in ___snprintf_chk (s=0xc <Address 0xc out of bounds>,
    maxlen=140737488331800, flags=48, slen=18446744073709551615, format=0x0)
    at snprintf_chk.c:36
#3  0x00007ffff7fd7418 in snprintf (__fmt=<value optimized out>, __n=<value optimized out>,
    __s=<value optimized out>) at /usr/include/bits/stdio2.h:65
#4  cupsdContinueJob (__fmt=<value optimized out>, __n=<value optimized out>,
    __s=<value optimized out>) at job.c:873
#5  0x00007ffff7fd950b in start_job (printer=<value optimized out>,
    job=<value optimized out>) at job.c:3933
#6  cupsdCheckJobs (printer=<value optimized out>, job=<value optimized out>) at job.c:405
#7  0x00007ffff7fd9768 in finalize_job (job=0x7ffff8212070) at job.c:2902
#8  0x00007ffff7fdba16 in update_job (job=0x7ffff8212070) at job.c:4328
#9  0x00007ffff7fe7582 in cupsdDoSelect (timeout=<value optimized out>) at select.c:500
#10 0x00007ffff7fc0e8c in main (argc=<value optimized out>, argv=<value optimized out>)
    at main.c:836

Comment 1 Tim Waugh 2009-07-05 22:03:26 UTC

It's being triggered by one of the print jobs in the queue.  Would you be able to provide a complete copy of the contents of your print queue? (You can mark it 'private'...)

Become the root user (with 'su -'), then:

tar jcf /tmp/spool.tar.bz2 /var/spool/cups

Then, attach the /tmp/spool.tar.bz2 file using the 'Add an attachment' link on this page.

If you are unwilling/unable to do this, it might be possible to narrow down which job is the problem by, instead of 'bt' at the prompt, doing this and letting me know what it says:

select-frame 4
info locals
print job->id
print job->current_file
print job->filetypes[job->current_file]

Thanks for reporting the problem and helping to get it fixed!

Comment 2 Peter Trenholme 2009-07-06 00:48:54 UTC

Created attachment 350560 [details]
/var/spool/cups image when segfault occures.

Not much in there. After I posted the bug report, I noticed that running cupsd had created a "Print Jobs" icon in the notification error, and clicking on the icon brought up a print queue report for a job directed to /dev/null. (I have no idea how /dev/null could be a print job destination, unless I tried to print something before I defined a printer, but that doesn't seem possible.)

Anyhow, that may be a clue to why the print function is having a problem.

Comment 3 Tim Waugh 2009-07-06 10:34:09 UTC

Yes, that's basically the problem.  In detail, 'job-printer-uri' is set to 'file:/dev/null' for job 4, which causes problems when cupsd tries to load that job as it isn't a valid value for job-printer-uri.  In fact, I can't really see how that could have happened.

I have a fix for cupsd so that it doesn't crash in this case, but the root cause of the problem is the file:/dev/null thing.

The print job in this case was a photograph.  Do you know which application printed it?  It seems it was intended for a printer named 'ML-1430B' -- is that a print queue that exists currently?

Comment 4 Peter Trenholme 2009-07-06 13:57:49 UTC

Well, yes and no: ML-1430B is a laser printer (Samsung) on my local net that used to be available via Samba. When I moved the printer to a wirelessly-connected desktop, I discovered that Samba could not "see" the printer. I suspect that I was attempting to "tweak" the printer queue definition to establish connectivity and did something strange. This was several months ago, and my recollection is quite hazy at this point.

By quickly running "system-config-printer" after a "cupsd -f" I managed to see which printers were defined. They were HP, HP Fax (both local) and ML-1430 (as a network printer). ML-1430B was not listed. The "local" devices seen to work even without cupsd running.

Since the spooled item is a picture, it was most probably queued by Firefox via nautilus. (Since Firefox uses nautilus by default.) I suspect that the default queue was incorrectly set, and I failed to notice that when I pressed O.K. when asked to confirm the print. (That item was, most probably, queued while I was running on a Fedora 10 release since I only upgraded this laptop last month.)

Anyhow, is there any way to "fix" the spool file so I could get cupsd running again? I have been able print to the HP printer connected to this laptop via a USB cable even with cupsd "bonked," but having it running on those rare occasions when I want to use cups might be more elegant.

Hum: I have another Fedora 11 installation on a USB drive. Since there's nothing in those queues, I think I'll try the CUPS data files on this laptop from the files on the USB drive. (Hey, this is not a production system: I retired in the '90s . . .)

Comment 5 Tim Waugh 2009-07-06 14:41:45 UTC

Oh, I'd misread the job control file; it was ML-1430, not ML-1430B.

(In reply to comment #4)
> Anyhow, is there any way to "fix" the spool file so I could get cupsd running
> again? I have been able print to the HP printer connected to this laptop via a
> USB cable even with cupsd "bonked," but having it running on those rare
> occasions when I want to use cups might be more elegant.

This should be sufficient:

service cups stop
rm -f /var/spool/cups/[cd]* /var/cache/cups/job.cache
service cups start

Thanks for your help!

Comment 6 Fedora Update System 2009-07-19 10:16:16 UTC

cups-1.4-0.rc1.10.fc11 has been pushed to the Fedora 11 testing repository.  If problems still persist, please make note of it in this bug report.
 If you want to test the update, you can install it with 
 su -c 'yum --enablerepo=updates-testing update cups'.  You can provide feedback for this update here: http://admin.fedoraproject.org/updates/F11/FEDORA-2009-6680

Comment 7 Fedora Update System 2009-07-23 19:08:04 UTC

cups-1.4-0.rc1.10.fc11 has been pushed to the Fedora 11 stable repository.  If problems still persist, please make note of it in this bug report.

Note You need to log in before you can comment on or make changes to this bug.