diff --git a/CHANGES.md b/CHANGES.md index 77324d1678..8c7bfb0cdd 100644 --- a/CHANGES.md +++ b/CHANGES.md @@ -1,4 +1,4 @@ -CHANGES - 2.3.0 - 2019-08-01 +CHANGES - 2.3.0 - 2019-08-07 ============================ @@ -26,6 +26,8 @@ Changes in CUPS v2.3.0 to a named group (Issue #5613) - Added USB quirks rule for HP LaserJet 1015 (Issue #5617) - Fixed some PPD parser issues (Issue #5623, Issue #5624) +- The IPP parser no longer allows invalid member attributes in collections + (Issue #5630) - Fixed an issue with unsupported "sides" values in the IPP backend (rdar://51775322) - The scheduler would restart continuously when idle and printers were not diff --git a/cups/ipp.c b/cups/ipp.c index 0248cb9d29..6fae52a006 100644 --- a/cups/ipp.c +++ b/cups/ipp.c @@ -3040,8 +3040,13 @@ ippReadIO(void *src, /* I - Data source */ DEBUG_printf(("2ippReadIO: name length=%d", n)); - if (n == 0 && tag != IPP_TAG_MEMBERNAME && - tag != IPP_TAG_END_COLLECTION) + if (n && parent) + { + _cupsSetError(IPP_STATUS_ERROR_INTERNAL, _("Invalid named IPP attribute in collection."), 1); + DEBUG_puts("1ippReadIO: bad attribute name in collection."); + return (IPP_STATE_ERROR); + } + else if (n == 0 && tag != IPP_TAG_MEMBERNAME && tag != IPP_TAG_END_COLLECTION) { /* * More values for current attribute... diff --git a/cups/testipp.c b/cups/testipp.c index 67700c6423..aca52021a4 100644 --- a/cups/testipp.c +++ b/cups/testipp.c @@ -187,6 +187,71 @@ static ipp_uchar_t collection[] = /* Collection buffer */ 0x00, 0x00, /* No name */ 0x00, 0x00, /* No value */ + IPP_TAG_END /* end tag */ + }; +static ipp_uchar_t bad_collection[] = /* Collection buffer (bad encoding) */ + { + 0x01, 0x01, /* IPP version */ + 0x00, 0x02, /* Print-Job operation */ + 0x00, 0x00, 0x00, 0x01, + /* Request ID */ + + IPP_TAG_OPERATION, + + IPP_TAG_CHARSET, + 0x00, 0x12, /* Name length + name */ + 'a','t','t','r','i','b','u','t','e','s','-', + 'c','h','a','r','s','e','t', + 0x00, 0x05, /* Value length + value */ + 'u','t','f','-','8', + + IPP_TAG_LANGUAGE, + 0x00, 0x1b, /* Name length + name */ + 'a','t','t','r','i','b','u','t','e','s','-', + 'n','a','t','u','r','a','l','-','l','a','n', + 'g','u','a','g','e', + 0x00, 0x02, /* Value length + value */ + 'e','n', + + IPP_TAG_URI, + 0x00, 0x0b, /* Name length + name */ + 'p','r','i','n','t','e','r','-','u','r','i', + 0x00, 0x1c, /* Value length + value */ + 'i','p','p',':','/','/','l','o','c','a','l', + 'h','o','s','t','/','p','r','i','n','t','e', + 'r','s','/','f','o','o', + + IPP_TAG_JOB, /* job group tag */ + + IPP_TAG_BEGIN_COLLECTION, + /* begCollection tag */ + 0x00, 0x09, /* Name length + name */ + 'm', 'e', 'd', 'i', 'a', '-', 'c', 'o', 'l', + 0x00, 0x00, /* No value */ + IPP_TAG_BEGIN_COLLECTION, + /* begCollection tag */ + 0x00, 0x0a, /* Name length + name */ + 'm', 'e', 'd', 'i', 'a', '-', 's', 'i', 'z', 'e', + 0x00, 0x00, /* No value */ + IPP_TAG_INTEGER, /* integer tag */ + 0x00, 0x0b, /* Name length + name */ + 'x', '-', 'd', 'i', 'm', 'e', 'n', 's', 'i', 'o', 'n', + 0x00, 0x04, /* Value length + value */ + 0x00, 0x00, 0x54, 0x56, + IPP_TAG_INTEGER, /* integer tag */ + 0x00, 0x0b, /* Name length + name */ + 'y', '-', 'd', 'i', 'm', 'e', 'n', 's', 'i', 'o', 'n', + 0x00, 0x04, /* Value length + value */ + 0x00, 0x00, 0x6d, 0x24, + IPP_TAG_END_COLLECTION, + /* endCollection tag */ + 0x00, 0x00, /* No name */ + 0x00, 0x00, /* No value */ + IPP_TAG_END_COLLECTION, + /* endCollection tag */ + 0x00, 0x00, /* No name */ + 0x00, 0x00, /* No value */ + IPP_TAG_END /* end tag */ }; @@ -586,12 +651,33 @@ main(int argc, /* I - Number of command-line arguments */ ippDelete(request); + /* + * Read the bad collection data and confirm we get an error... + */ + + fputs("Read Bad Collection from Memory: ", stdout); + + request = ippNew(); + data.rpos = 0; + data.wused = sizeof(bad_collection); + data.wsize = sizeof(bad_collection); + data.wbuffer = bad_collection; + + while ((state = ippReadIO(&data, (ipp_iocb_t)read_cb, 1, NULL, request)) != IPP_STATE_DATA) + if (state == IPP_STATE_ERROR) + break; + + if (state != IPP_STATE_ERROR) + puts("FAIL (read successful)"); + else + puts("PASS"); + /* * Read the mixed data and confirm we converted everything to rangeOfInteger * values... */ - printf("Read Mixed integer/rangeOfInteger from Memory: "); + fputs("Read Mixed integer/rangeOfInteger from Memory: ", stdout); request = ippNew(); data.rpos = 0;