printers.cgi and jobs.cgi crash with segfault

[michaelrsweet]

Version: 1.2.0
CUPS.org User: heisenbug

New compile and clean install on Solaris 9 (gcc 3.3.2), with the getifaddrs patch. I get a segfault (noted in the error_log) when I try to list printers or completed/all jobs via the HTTP interface. The commandline interface works fine (lpstat -W completed -o).

How can I get the cgi to dump a core for analysis? I don't see anything obvious in the cupsd.conf file.

Scope unknown - I don't have any other testbed machines available to me :(

[michaelrsweet]

CUPS.org User: mike

If you run cupsd in the foreground (cupsd -f) then core files will be allowed. Alternately, a "make test" will run a test server on port 8631 so you can see what is going on...

Let me know how you make out...

[michaelrsweet]

CUPS.org User: heisenbug

OK... tried that, but I'm not getting any core files. They're not stopped by the ulimit:

server:/usr/local/cups/var/log/cups#ulimit -a
core file size (blocks) unlimited
data seg size (kbytes) unlimited
file size (blocks) unlimited
open files 2048
pipe size (512 bytes) 10
stack size (kbytes) 8192
cpu time (seconds) unlimited
max user processes 29995
virtual memory (kbytes) unlimited

If I run the cgi script manually I get a core, but I don't know if it's a valid test. In any case, I've trussed the application:

truss -f -t !time -o /tmp/cupsd.truss /usr/local/cups/sbin/cupsd -f

error_log_2.txt and cupsd.truss attached.

[michaelrsweet]

CUPS.org User: julianct

This seems to be a bug in cgi-bin/ipp-var.c at line 777 (the debug fprintf()).

If the prefix argument is NULL the fprintf() will fail. I modified the statement to be:

fprintf(stderr, "DEBUG2: cgiSetIPPObjectVars(obj=%p, prefix="%s", "
"element=%d)\n",
obj, prefix ? prefix : "(null)", element);

This fixed the problem for me on Solaris 9.

[michaelrsweet]

CUPS.org User: julianct

There are a few other places where calls to fprintf() can pass NULL arguments for "%s" formats:

cgi-bin/ipp-var.c (line 980)
cgi-bin/admin.c (line 538)

These prevent viewing/modification of printers.

I'm still looking for more :-)

[michaelrsweet]

CUPS.org User: heisenbug

Looks like there's another on in scheduler/log.c, at line 213. This one can be provoked by setting "LogLevel debug2" and browsing to http://server:631/jobs/ - instant crash of cupsd. Fortunately, I got a core from this one:

server:/usr/local/cups/var/log/cups#gdb -c core /usr/local/cups/sbin/cupsd
GNU gdb 5.3
Copyright 2002 Free Software Foundation, Inc.
GDB is free software, covered by the GNU General Public License, and you are
welcome to change it and/or distribute copies of it under certain conditions.
Type "show copying" to see the conditions.
There is absolutely no warranty for GDB. Type "show warranty" for details.
This GDB was configured as "sparc-sun-solaris2.9"...
Core was generated by `/usr/local/cups/sbin/cupsd -f'.
Program terminated with signal 11, Segmentation fault.
Reading symbols from /usr/lib/libz.so.1...done.
Loaded symbols for /usr/lib/libz.so.1
Reading symbols from /usr/lib/libslp.so.1...done.
Loaded symbols for /usr/lib/libslp.so.1
Reading symbols from /usr/lib/libpam.so.1...done.
Loaded symbols for /usr/lib/libpam.so.1
Reading symbols from /usr/lib/libdl.so.1...done.
Loaded symbols for /usr/lib/libdl.so.1
Reading symbols from /usr/local/cups/lib/libcups.so.2...done.
Loaded symbols for /usr/local/cups/lib/libcups.so.2
Reading symbols from /usr/lib/libpthread.so.1...done.
Loaded symbols for /usr/lib/libpthread.so.1
Reading symbols from /usr/lib/libresolv.so.2...done.
Loaded symbols for /usr/lib/libresolv.so.2
Reading symbols from /usr/lib/libnsl.so.1...done.
Loaded symbols for /usr/lib/libnsl.so.1
Reading symbols from /usr/lib/libsocket.so.1...done.
Loaded symbols for /usr/lib/libsocket.so.1
Reading symbols from /usr/lib/libc.so.1...done.
Loaded symbols for /usr/lib/libc.so.1
Reading symbols from /usr/lib/libthread.so.1...done.
Loaded symbols for /usr/lib/libthread.so.1
Reading symbols from /usr/lib/libcmd.so.1...done.
Loaded symbols for /usr/lib/libcmd.so.1
Reading symbols from /usr/lib/libmp.so.2...done.
Loaded symbols for /usr/lib/libmp.so.2
Reading symbols from /usr/platform/SUNW,Sun-Fire-V490/lib/libc_psr.so.1...done.
Loaded symbols for /usr/platform/SUNW,Sun-Fire-V490/lib/libc_psr.so.1
Reading symbols from /usr/lib/nss_files.so.1...done.
Loaded symbols for /usr/lib/nss_files.so.1
#0 0xff0b44e4 in strlen () from /usr/lib/libc.so.1
(gdb) bt
#0 0xff0b44e4 in strlen () from /usr/lib/libc.so.1
#1 0xff106c30 in _doprnt () from /usr/lib/libc.so.1
#2 0xff108ca0 in vsnprintf () from /usr/lib/libc.so.1
#3 0x00040578 in cupsdLogMessage (level=9,
message=0x4ea38 "pipe_command: command="%s", options="%s"") at log.c:213
#4 0x0001eec0 in pipe_command (con=0x5549e8, infile=13, outfile=0x44,
command=0x54b400 "/usr/local/cups/lib/cups/cgi-bin/jobs.cgi", options=0x0,
root=5602856) at client.c:3508
#5 0x0001d0b4 in cupsdSendCommand (con=0x5549e8,
command=0x54b400 "/usr/local/cups/lib/cups/cgi-bin/jobs.cgi",
options=0x3400 <Address 0x3400 out of bounds>, root=13376) at client.c:1899
#6 0x0001bb98 in cupsdReadClient (con=0x5549e8) at client.c:1242
#7 0x0002b1b8 in main (argc=470032, argv=0x1) at main.c:901
(gdb)

[michaelrsweet]

CUPS.org User: mike

Fixed in Subversion repository.

[michaelrsweet]

"str1699.patch":

Index: html.c

--- html.c (revision 5547)
+++ html.c (working copy)
@@ -175,7 +175,8 @@
{
(void)prompt;

• fprintf(stderr, "DEBUG: cgi_null_passwd(prompt="%s") called!\n", prompt);

• fprintf(stderr, "DEBUG: cgi_null_passwd(prompt="%s") called!\n",

•      prompt ? prompt : "(null)");
  

  return (NULL);
  }

  Index: printers.c

  --- printers.c (revision 5547)
  +++ printers.c (working copy)
  @@ -331,7 +331,7 @@

  fprintf(stderr, "DEBUG: show_all_printers(http=%p, user="%s")\n",

•      http, user);
  

•      http, user ? user : "(null)");
  

  /*

  • Show the standard header...
    @@ -543,7 +543,7 @@

  fprintf(stderr, "DEBUG: show_printer(http=%p, printer="%s")\n",

•      http, printer);
  

•      http, printer ? printer : "(null)");
  

  /*

  • Build an IPP_GET_PRINTER_ATTRIBUTES request, which requires the following
    Index: template.c

    --- template.c (revision 5547)
    +++ template.c (working copy)
    @@ -60,7 +60,7 @@

  fprintf(stderr, "DEBUG: cgiCopyTemplateFile(out=%p, tmpl="%s")\n", out,

•      tmpl);
  

•      tmpl ? tmpl : "(null)");
  

  /*

  • Open the template file...
    @@ -69,7 +69,7 @@
    if ((in = fopen(tmpl, "r")) == NULL)
    {
    fprintf(stderr, "ERROR: Unable to open template file "%s" - %s\n",

•        tmpl, strerror(errno));
  

•        tmpl ? tmpl : "(null)", strerror(errno));
  

  return;
  }

@@ -102,7 +102,8 @@
FILE in; / Input file */

• fprintf(stderr, "DEBUG: cgiCopyTemplateLang(tmpl="%s")\n", tmpl);

• fprintf(stderr, "DEBUG: cgiCopyTemplateLang(tmpl="%s")\n",

•      tmpl ? tmpl : "(null)");
  

  /*

  • Convert the language to a locale name...
    Index: ipp-var.c

    --- ipp-var.c (revision 5547)
    +++ ipp-var.c (working copy)
    @@ -774,7 +774,7 @@

  fprintf(stderr, "DEBUG2: cgiSetIPPObjectVars(obj=%p, prefix="%s", "
  "element=%d)\n",

•      obj, prefix, element);
  

•      obj, prefix ? prefix : "(null)", element);
  

  /*

  • Set common CGI template variables...
    @@ -977,7 +977,9 @@

  fprintf(stderr, "DEBUG2: cgiSetIPPVars(response=%p, filter_name="%s", "
  "filter_value="%s", prefix="%s", parent_el=%d)\n",

•      response, filter_name, filter_value, prefix, parent_el);
  

•      response, filter_name ? filter_name : "(null)",
  

• filter_value ? filter_value : "(null)",
  

• prefix ? prefix : "(null)", parent_el);
  

  /*

  • Set common CGI template variables...
    Index: help.c

    --- help.c (revision 5547)
    +++ help.c (working copy)
    @@ -187,7 +187,8 @@
    topic = cgiGetVariable("TOPIC");
    si = helpSearchIndex(hi, query, topic, helpfile);

• fprintf(stderr, "DEBUG: query="%s", topic="%s"\n", query, topic);

• fprintf(stderr, "DEBUG: query="%s", topic="%s"\n",

•      query ? query : "(null)", topic ? topic : "(null)");
  

  if (si)
  {

  Index: admin.c

  --- admin.c (revision 5547)
  +++ admin.c (working copy)
  @@ -93,7 +93,8 @@
  if (!http)
  {
  perror("ERROR: Unable to connect to cupsd");

• fprintf(stderr, "DEBUG: cupsServer()="%s"\n", cupsServer());

• fprintf(stderr, "DEBUG: cupsServer()="%s"\n",

•        cupsServer() ? cupsServer() : "(null)");
  

  fprintf(stderr, "DEBUG: ippPort()=%d\n", ippPort());
  fprintf(stderr, "DEBUG: cupsEncryption()=%d\n", cupsEncryption());
  exit(1);
  @@ -534,8 +535,9 @@
  };

• ptr = cgiGetVariable("DEVICE_URI");
  fprintf(stderr, "DEBUG: do_am_printer: DEVICE_URI="%s"\n",

•      cgiGetVariable("DEVICE_URI"));
  

•      ptr ? ptr : "(null)");
  

  title = cgiText(modify ? _("Modify Printer") : _("Add Printer"));

Index: var.c

--- var.c (revision 5547)
+++ var.c (working copy)
@@ -949,7 +949,8 @@
{
(void)prompt;

• fprintf(stderr, "DEBUG: cgi_passwd(prompt="%s") called!\n", prompt);

• fprintf(stderr, "DEBUG: cgi_passwd(prompt="%s") called!\n",

•      prompt ? prompt : "(null)");
  

  /*

  • Send a 401 (unauthorized) status to the server, so it can notify