cupsdGetPrivateAttrs() function in scheduler/policy.c is missing NULL check for input parameters.

3 files changed, 100 insertions, 0 deletions

diff --git a/debian/changelog b/debian/changelog
index 61049db1..df5979d1 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -1,5 +1,8 @@
 cups (1.7.1-5ubuntu7) trusty; urgency=low
 
+  * fix-cupsdgetprivateattrs-function-missing-null-check.patch:
+    cupsdGetPrivateAttrs() function in scheduler/policy.c is missing NULL
+    check for input parameters (CUPS STR #4378, LP: #1284568).
   * fix-race-condition-in-cupsdoiorequest.patch: Fix race condition in
     cupsDoIORequest(). When cupsDoIORequest() sends a request that will fail
     due to lack of credentials, if the server closes the connection after
diff --git a/debian/patches/fix-cupsdgetprivateattrs-function-missing-null-check.patch b/debian/patches/fix-cupsdgetprivateattrs-function-missing-null-check.patch
new file mode 100644
index 00000000..aa264bd1
--- /dev/null
+++ b/debian/patches/fix-cupsdgetprivateattrs-function-missing-null-check.patch
@@ -0,0 +1,96 @@
+Description: cupsdGetPrivateAttrs() function in scheduler/policy.c is
+ missing NULL check for input parameters.
+Author: Michael Sweet <msweet@apple.com>
+Bug: http://www.cups.org/str.php?L4378
+--- a/scheduler/policy.c
++++ b/scheduler/policy.c
+@@ -1,32 +1,16 @@
+ /*
+  * "$Id: policy.c 10996 2013-05-29 11:51:34Z msweet $"
+  *
+- *   Policy routines for the CUPS scheduler.
++ * Policy routines for the CUPS scheduler.
+  *
+- *   Copyright 2007-2011 by Apple Inc.
+- *   Copyright 1997-2006 by Easy Software Products, all rights reserved.
++ * Copyright 2007-2011, 2014 by Apple Inc.
++ * Copyright 1997-2006 by Easy Software Products, all rights reserved.
+  *
+- *   These coded instructions, statements, and computer programs are the
+- *   property of Apple Inc. and are protected by Federal copyright
+- *   law.  Distribution and use rights are outlined in the file "LICENSE.txt"
+- *   which should have been included with this file.  If this file is
+- *   file is missing or damaged, see the license at "http://www.cups.org/".
+- *
+- * Contents:
+- *
+- *   AddPolicy()              - Add a policy to the system.
+- *   cupsdAddPolicyOp()       - Add an operation to a policy.
+- *   cupsdCheckPolicy()       - Check the IPP operation and username against a
+- *                              policy.
+- *   cupsdDeleteAllPolicies() - Delete all policies in memory.
+- *   cupsdFindPolicy()        - Find a named policy.
+- *   cupsdFindPolicyOp()      - Find a policy operation.
+- *   cupsdGetPrivateAttrs()   - Get the private attributes for the current
+- *                              request.
+- *   compare_ops()            - Compare two operations.
+- *   compare_policies()       - Compare two policies.
+- *   free_policy()            - Free the memory used by a policy.
+- *   hash_op()                - Generate a lookup hash for the operation.
++ * These coded instructions, statements, and computer programs are the
++ * property of Apple Inc. and are protected by Federal copyright
++ * law.  Distribution and use rights are outlined in the file "LICENSE.txt"
++ * which should have been included with this file.  If this file is
++ * file is missing or damaged, see the license at "http://www.cups.org/".
+  */
+ 
+ /*
+@@ -48,7 +32,7 @@
+ 
+ 
+ /*
+- * 'AddPolicy()' - Add a policy to the system.
++ * 'cupsdAddPolicy()' - Add a policy to the system.
+  */
+ 
+ cupsd_policy_t *			/* O - Policy */
+@@ -136,7 +120,7 @@
+ 
+   if (!p || !con)
+   {
+-    cupsdLogMessage(CUPSD_LOG_CRIT, "cupsdCheckPolicy: p=%p, con=%p!", p, con);
++    cupsdLogMessage(CUPSD_LOG_CRIT, "cupsdCheckPolicy: p=%p, con=%p.", p, con);
+ 
+     return ((http_status_t)0);
+   }
+@@ -147,7 +131,7 @@
+ 
+   if ((po = cupsdFindPolicyOp(p, con->request->request.op.operation_id)) == NULL)
+   {
+-    cupsdLogMessage(CUPSD_LOG_DEBUG2, "cupsdCheckPolicy: No matching operation, returning 0!");
++    cupsdLogMessage(CUPSD_LOG_DEBUG2, "cupsdCheckPolicy: No matching operation, returning 0.");
+     return ((http_status_t)0);
+   }
+ 
+@@ -263,7 +247,7 @@
+     return (po);
+   }
+ 
+-  cupsdLogMessage(CUPSD_LOG_DEBUG2, "cupsdFindPolicyOp: No match found!");
++  cupsdLogMessage(CUPSD_LOG_DEBUG2, "cupsdFindPolicyOp: No match found.");
+ 
+   return (NULL);
+ }
+@@ -296,6 +280,12 @@
+ 		  con->http.fd, printer, printer ? printer->name : "", owner);
+ #endif /* DEBUG */
+ 
++  if (!policy)
++  {
++    cupsdLogMessage(CUPSD_LOG_CRIT, "cupsdGetPrivateAttrs: policy=%p, con=%p, printer=%p, owner=\"%s\", DefaultPolicyPtr=%p: This should never happen, please report a bug.", policy, con, printer, owner, DefaultPolicyPtr);
++    policy = DefaultPolicyPtr;
++  }
++
+  /*
+   * Get the access and attributes lists that correspond to the request...
+   */
diff --git a/debian/patches/series b/debian/patches/series
index de278467..2066639a 100644
--- a/debian/patches/series
+++ b/debian/patches/series
@@ -1,5 +1,6 @@
 # patches accepted and committed upstream:
 fix-race-condition-in-cupsdoiorequest.patch
+fix-cupsdgetprivateattrs-function-missing-null-check.patch
 cupsenumdests-does-not-set-cb.patch
 cupsd-enable-dbus-threading-support.patch