--=-8KpxnP81NRNqGGtcVgwN Content-Type: text/plain Content-Transfer-Encoding: quoted-printable
I was going to write a mail without the "(not)" but then discovered that this issue is actually a non-issue, but this is totally non-obvious. Would you know off-hand why? bin_w_string contains the following code: if (w->direction =3D=3D WIRE_DECODE) { if (len =3D=3D 0) *s =3D 0; else if (w->status =3D=3D 0) *(*s + len - 1) =3D '\0'; } If I interpret the code correctly, this could be used to bring the server (running the binary protocol) into an invalid state: 1) send any kind of request that requires a string option at the end, for example SANE_NET_AUTHORIZE 2) tell the server that the length is 10 or so 3) send 9 bytes and close the connection The server will react to this in the following way (if I interpret the code correctly): * during sanei_w_array it will notice that the status is bad and return * bin_w_string will not(!) zero-terminate the string (because it is assuming that *s is not valid, while it actually is) sanei_w_array doesn't clear the array if anything item fails to read. * now, the server has a password string that is not zero terminated, and strcpy()s that string accessing memory beyond the allocated size. [Actually, I discovered this while I was documenting the wire protocol. I think it is overly complex and the code badly structured, the wire's direction thing is really strange!] Ok, so here's the solution: The server does signal (SIGPIPE, quit); (which I think is actually another bug, why should sane_close, sane_exit, sanei_w_exit and lots of other functions be async signal safe?) Still, this is that non-obvious that someone writing a server (or client, which could then be attacked by a malevolent server) with the sanei library functions could easily oversee this detail, ignore SIGPIPE or use sockets that don't raise it. Therefore I'm still sending this mail in hope that someone fixes the sanei_w_array function to check for status !=3D 0 and clean up after itself. johannes --=-8KpxnP81NRNqGGtcVgwN Content-Type: application/pgp-signature; name=signature.asc Content-Description: This is a digitally signed message part -----BEGIN PGP SIGNATURE----- Comment: Johannes Berg (SIP Solutions) iQIVAwUAQW/U16Vg1VMiehFYAQItGRAApmPf+qNwUfTzFswVVe1K10VSArYVmcOJ 1wN5J3zAhf9oC7gSavY5q2Y5gCZoyCj2+p+iSWf3sjDAV2+RH8WVIS34IItamOC8 zyj9g8/NgHtaF99tTi7/O2j0/3eMvr9t4/dipDZ7l83EI7C0ZYv2CsGX97dmdXf8 HPJo/9Tl4DA+UsBGMngGsj7flVrjf2zThkJzcPqEAgLv8v2Mv4LW5JNtxZIozgGM LvLdRgYS7SVtt+owY+2bSLdW3V0dYp/QXwqHNXSvZfFHe1FT9AVZBwvF1573J14v t+T3AwNV/qRxZC4d/0VD6JsPWJA11HFA3agutUK4TN1G10lH+1BkmoM8NXVWWy9p 9jh1G8FsQsPmnV1WGY6jy6JF4rFLARrjfCIefcDKQt5kEC8s9eMiT0+wayvUYZRr bhO6oOgunMoPpNX3AxyvDhwzZ1uZmoied7QY+C783pY7kIWtZ45mFFCsznnX6FFN jwhFjubDeyK03SxTzit7KsBy89wTLXqQIaKKR2IqXc9KlXEUp/UGMoEsQSjBBKth pUSlKymbhp9kSni0DZ8LGX/G9gYhnK0yMxNUYVzBnp8GWuqC/IO/aHX2rR8n0y+W ztf389uXOpGU7EHKRPW4NfHuzvnW2CZBN9/ReXwkrMPT4K3enB8dAsh3ipj7Ruzh FaYv+5kkYgU= =867r -----END PGP SIGNATURE----- --=-8KpxnP81NRNqGGtcVgwN--