[sane-devel] [BUG] saned: missing input sanitization
--=-5n0e72bCo6NIQyEFjdhX Content-Type: text/plain Content-Transfer-Encoding: quoted-printable On Sat, 2004-10-16 at 16:10 +0200, Henning Meier-Geinitz wrote: > For sane_net a zero-lenth string is 0 0 0 1 0 (Array of length 1 which > only contains a 0 byte as end marker). Reading through the code again -- looks like you're right. Somehow I got the impression that it was the same, but don't remember where I read that now. johannes --=-5n0e72bCo6NIQyEFjdhX Content-Type: application/pgp-signature; name=signature.asc Content-Description: This is a digitally signed message part -BEGIN PGP SIGNATURE- Comment: Johannes Berg (SIP Solutions) iQIVAwUAQXEuxqVg1VMiehFYAQKFVw//Uyr9ZkUO2zjzW/eDiaqWKp6o14qOwMDF 3p7QClunjZDGLPz3Bzt7mDZtqaecyy0Dly1Be0nk5LDOphvnuRk+OucWmrCcDfQT dTmqnfScp0G+bzKEawnrBNC4nPiimJnqEEpdLcPv/tx1wi2AZ8yQZBx7lW5anjc0 Ewl3Ssnx3dVxu+MsfqXVwN+I+cTFVai7uDANnkqNl9UGi9MxUb0w34ZsGSkqdtJf 8VyTOzvrpq3cfe1yD2NL5uHAsb4fJ6+3KcfOzo/vXxJgKHFwI4R6DodwyOTjZnCT 4+MTcQEJCEEsYXPGwYCBqv33NTN1/y7VGFfAoHQycQu9VAfjo0uec5Gffzrc3szd 2lnaTAt94hRLtd1QxdgjQMMj3QBIPHz6FRvet+IQb7t97A4I294/32oQV4S425R/ brkA4BOEEzyHihFard7V2o3404frglJZGWUOBKqYRYcypmzyIk73xLFnyvHQnaAm qG9uUxzDvtamzYmcst0v25MsGDzqyGVOfryLaWV6uMMmms3MWU9y7Y20MQMvBrjT Yl6w/t85C/nomxiVftTS+8H6hKbVExB57TMN9SnQUN4tjw1LD1TCwROkl6BExpHI D3GDSfWojZ2emFoZsIbJ+PKoq79K/MWFyE5DDpk4Qv/sPd6h9oII3qgBTSWZHR5H MIOXVanpyXU= =Ilg2 -END PGP SIGNATURE- --=-5n0e72bCo6NIQyEFjdhX--
[sane-devel] [BUG] saned: missing input sanitization
Hi, On Sat, Oct 16, 2004 at 04:01:20PM +0200, Johannes Berg wrote: > I think the problem is that the network layer does not distinguish > between zero-length strings and NULL pointers -- as far as I can see it > interprets a zero-length string A zero length string is e.g. SANE_String hubba = ""; > (which is only a byte-array after all) For sane_net a zero-lenth string is 0 0 0 1 0 (Array of length 1 which only contains a 0 byte as end marker). > as a NULL string. I hope it doesn't. A NULL string is encoded as an array of length 0 (and has no data). zero-length is ok in sane_open, NULL isn't. Bye, Henning
[sane-devel] [BUG] saned: missing input sanitization
--=-RvFmJl5eUaAjiXBPw3Ib Content-Type: text/plain Content-Transfer-Encoding: quoted-printable On Sat, 2004-10-16 at 15:48 +0200, Henning Meier-Geinitz wrote: > I've added a check to CVS. It returns an error to the client because I > think that's a protocol violation. Zero-length strings are allowed for > sane_open but not NULL-pointers. I think the problem is that the network layer does not distinguish between zero-length strings and NULL pointers -- as far as I can see it interprets a zero-length string (which is only a byte-array after all) as a NULL string. johannes --=-RvFmJl5eUaAjiXBPw3Ib Content-Type: application/pgp-signature; name=signature.asc Content-Description: This is a digitally signed message part -BEGIN PGP SIGNATURE- Comment: Johannes Berg (SIP Solutions) iQIVAwUAQXEpq6Vg1VMiehFYAQKfdw/8DmtQmW6bABrsnmshQFN+syVsTAZWFhRO 0veLBoM8uNxgFMLXUtiXhv0lWfbZdce6UXYREB3bPy2yrAIsm30rFipBGvckX9J9 RvmH21mrigWiYn5VoloGIqiCDum/BubxyeE/xSBkcVcDKh3wnOWtYzFDBEnyP79U rUz0bMlchKHcKrPsZq78WeJ203hZaPBxPgmRKT/i/kjdOFMIiu/enMC8VEFrl3Oe AhbXOhtj5GtkfPs1ueM5oms4f4wu4La+lF6+5lhHGFOY6Bwj+Xd0xwvxPge36NXD NRn7XArGv9SLUPza1y9Nw6wlVMFpG4AdlUyTTH3zO28A8bOjksSC53p/ftl/x9z1 wE4j1yBvzUmlrCYmSYvPgzXG5Kwv6CndtE3+v6+f2dYrY80yMCLLWyMG1XLgKtvT oDtuUFdpzOPSQSDWz7ICkCyl1Vv+5DiWlchXBqN5cHz/1mDMZOj9VAmtoo+b28kA tIeEFq3q0ITTwJps6nrmUDshGDAiVWj86NH7y+Q6py0EmG8eHav1MvDdxiz5r7/x Q160C87JrAfMgxl5o84zGF63XJHH4k6e0RLNEqDLCg6u0K+qZ9tkUgNQOLZ5Ym9Q LcqYgokfISbLEfit7V4fp9lXz75ZU7HYsaDnsOKKH/EI0v3F1xzHQUG2LMNywlBj 8XQQi/XDORw= =iuNs -END PGP SIGNATURE- --=-RvFmJl5eUaAjiXBPw3Ib--
[sane-devel] [BUG] saned: missing input sanitization
Hi, On Fri, Oct 15, 2004 at 03:47:40PM +0200, Johannes Berg wrote: > SANE_NET_OPEN makes saned segfault if a NULL name is passed, because it > tries to strdup() the name without checking for != NULL. I've added a check to CVS. It returns an error to the client because I think that's a protocol violation. Zero-length strings are allowed for sane_open but not NULL-pointers. Could you check if that works and doesn't create any new bugs? Bye, Henning
[sane-devel] [BUG] saned: missing input sanitization
--=-4jUAPFROJACgVt5tWrHO Content-Type: text/plain Content-Transfer-Encoding: quoted-printable SANE_NET_OPEN makes saned segfault if a NULL name is passed, because it tries to strdup() the name without checking for !=3D NULL. johannes --=-4jUAPFROJACgVt5tWrHO Content-Type: application/pgp-signature; name=signature.asc Content-Description: This is a digitally signed message part -BEGIN PGP SIGNATURE- Comment: Johannes Berg (SIP Solutions) iQIVAwUAQW/U+aVg1VMiehFYAQIJ2xAAsItDNAE6jskDUoOptNrxmwvxMdjooCpx haff88AIuXjKgWjsG27BxoLJJhw5v3S9uRLbOCx0q0oD4uIY1QuauBbncvIWlpS0 cqkEc2smmvDXyRP/uikIJGMaf9h45MuYttCBx9Irb+TZlc9X5IldReZBO2s7zMO+ M10MlPzwlJ8jEaQIykHTreEiLvj12WC+e7vTDM9K4uwwsU4/Ili8gm7v6Zs3aJ/Q OEAZCTOPSXs+QYKi82E2souhh2eCt23HLWzn3Kt/G6FxakwJ26zGmySs5N0kItKL 0OGKQ4VYUS0w+nADJgFMm5CcB808yxm8WulONDlkIRybFghsbnfcxoPaKwMUGki7 00L9XlDmK6OBkalBpQ5h2rANEuw/QQET8kaChg3jA0PrSTTnJvgGt+mByAazzIOw kVeIl0+AxZfMmsVvJdZzICnCDCrIj5YmHC7Vb5EeuO3XdkPifDEVQshL/z4AHoUQ y6IbdndVfNie2DTedmRBB3/tsJx2ksZpR7mRAhpKv9bnKZyK7ppyWPkI1+brGBhb RsV+I1TBz6KXAACumZ2CV+DwXx8l/EFdti16OfGdhRzMGjqkfGE7eZLDxOfv/INt BSZ39j+ip6Sd1upA7VseidtJ48S8NNZNfm55nmH7ALjd+lcbLORGiHXDZazH5/FQ 2fOfBK6EVVM= =s1YX -END PGP SIGNATURE- --=-4jUAPFROJACgVt5tWrHO--