Details

Reviewers

markj

Commits

rG9065be0a5902: lpd: Improve robustness

Summary

Check for integer overflow when receiving file sizes.

Check for buffer overflow when receiving file names, and fully validate the names.

Check for integer overflow when checking for available disk space.

Check for I/O errors when sending status codes.

Enforce one job per connection and one control file per job (see code comments for additional details).

Simplify readfile(), avoiding constructs vulnerable to integer overflow.

Don't delete files we didn't create.

Rename read_number() to read_minfree() since that's all it's used for, and move all the minfree logic into it.

Fix a few style issues.

PR: 293278
MFC after: 3 days

Diff Detail

Repository

rG FreeBSD src repository

Lint

Lint Skipped

Unit

Tests Skipped

Build Status

Buildable 70967
Build 67850: arc lint + arc unit

Event Timeline

des created this revision.Fri, Feb 20, 4:03 PM

Herald added a subscriber: imp. · View Herald TranscriptFri, Feb 20, 4:03 PM

des requested review of this revision.Fri, Feb 20, 4:03 PM

Harbormaster completed remote builds in B70819: Diff 172316.Fri, Feb 20, 4:03 PM

des added a child revision: D55400: lpd: Add timeout option.Fri, Feb 20, 4:03 PM

des added a reviewer: markj.Fri, Feb 20, 4:05 PM

markj accepted this revision.Sat, Feb 21, 2:52 AM

markj added inline comments.

usr.sbin/lpr/lpd/recvjob.c
209	This validation is new AFAICS. It probably deserves to be mentioned explicitly in the commit log message.
260	Same comment here with respect to the commit log message.
293–297
332	We're reading stdout...?

This revision is now accepted and ready to land.Sat, Feb 21, 2:52 AM

des added inline comments.Sat, Feb 21, 8:44 AM

usr.sbin/lpr/lpd/recvjob.c
209	It's new but in line with RFC 1179 and necessary. I didn't realize this until just now (and neither did the reporter) but without this check, `lpd` will let any client upload files to the print spool that never get picked up for processing and never get deleted.
293–297	Normally I'd agree but this is the established style here (and in a lot of CSRG code).
332	Yes, that's our TCP socket, see inside the `fork() == 0` block in `lpd.c`.

don't delete files we didn't create

This revision now requires review to proceed.Sat, Feb 21, 2:11 PM

Harbormaster completed remote builds in B70850: Diff 172382.Sat, Feb 21, 2:11 PM

des edited the summary of this revision. (Show Details)Sat, Feb 21, 2:11 PM

markj accepted this revision.Sat, Feb 21, 3:37 PM

markj added inline comments.

usr.sbin/lpr/lpd/recvjob.c
399	This will fail if `size` is a multiple of 512 and `avail - minfree == size / 512`, which seems wrong.

This revision is now accepted and ready to land.Sat, Feb 21, 3:37 PM

des added inline comments.Sat, Feb 21, 3:49 PM

usr.sbin/lpr/lpd/recvjob.c
209	...and fwiw it's already mentioned in the commit log: “fully validate the names”.
399	It's an intentional omission. To handle this situation correctly I would either have to add a special case just for when `size` is a multiple of 512 or deal with the possible overflow in `(size + 511) / 512`. The whole thing is best-effort anyway and easily circumvented, so I chose not to deal with it.

des edited the summary of this revision. (Show Details)Sat, Feb 21, 4:33 PM

fix multi-file jobs

This revision now requires review to proceed.Sat, Feb 21, 4:34 PM

Harbormaster completed remote builds in B70853: Diff 172389.Sat, Feb 21, 4:34 PM

des edited the summary of this revision. (Show Details)Sat, Feb 21, 4:58 PM

really fix multi-file jobs

Harbormaster completed remote builds in B70855: Diff 172391.Sat, Feb 21, 4:59 PM

markj added inline comments.Tue, Feb 24, 4:28 PM

usr.sbin/lpr/lpd/recvjob.c
158–159	Did you mean to leave this in?
265	Should this be kept?

remove debugging

des marked 7 inline comments as done.Tue, Feb 24, 5:39 PM

des added inline comments.

usr.sbin/lpr/lpd/recvjob.c
158–159	grrr no, thank you for catching it

des marked an inline comment as done.Tue, Feb 24, 5:39 PM

Harbormaster completed remote builds in B70967: Diff 172618.Tue, Feb 24, 5:39 PM

portmaster_BSDforge.com added a subscriber: portmaster_BSDforge.com.Tue, Feb 24, 7:27 PM

cy added a subscriber: cy.Wed, Feb 25, 4:51 PM

I'm not sure about a 3 day MFC timeout, but I'm also not sure that any significant number of people are using this code on main.

This revision is now accepted and ready to land.Wed, Feb 25, 9:02 PM

In D55399#1270387, @markj wrote:

I'm not sure about a 3 day MFC timeout, but I'm also not sure that any significant number of people are using this code on main.

I assumed that we'd want to merge it quickly to 15 and especially 14...

In D55399#1270409, @des wrote:

In D55399#1270387, @markj wrote:

I'm not sure about a 3 day MFC timeout, but I'm also not sure that any significant number of people are using this code on main.

I assumed that we'd want to merge it quickly to 15 and especially 14...

Given how long the bugs have been there, I wouldn't rush, but it is up to you. I expect Colin would be apprehensive about taking this patch into 14.4 at this point.

Closed by commit rG9065be0a5902: lpd: Improve robustness (authored by des). · Explain WhyThu, Feb 26, 6:16 AM

This revision was automatically updated to reflect the committed changes.

des added a commit: rG9065be0a5902: lpd: Improve robustness.

lpd: Improve robustness
ClosedPublic
Actions

Details

Diff Detail

Event Timeline

Revision Contents
Changeset List

Diff 172618

usr.sbin/lpr/lpd/recvjob.c

lpd: Improve robustnessClosedPublicActions

Details

Diff Detail

Event Timeline

Revision ContentsChangeset List

Diff 172618

usr.sbin/lpr/lpd/recvjob.c

lpd: Improve robustness
ClosedPublic
Actions

Revision Contents
Changeset List