[sane-devel] Canon ImageClass MF644Cdw

Louis Lagendijk louis at fazant.net
Mon Nov 4 22:27:27 GMT 2019 

On Thu, 2019-10-31 at 16:31 -0700, Ralph Little wrote:
> Hi,
> 
> On Thu, Oct 31, 2019 at 4:12 PM David McMahon <thedjm at gmail.com>
> wrote:
> > Thanks for the clue!  Looking on that on the settings page of the
> > printer, the hostname is the default of "Canoncbcab3" which seems
> > harmless enough.  I changed it to "Can" to see if that changed
> > anything, but still getting the buffer overflow.
> > If you have a link handy to that part of the code, can you point me
> > to it?  Maybe it's something else right after the strcpy().
> >  
> 
> Hmm, that might have been slightly misleading.
> 
> I'm looking at backend/pixma_bjnp.c at line 801, which is where we
> see the last successful debug message from the function
> get_scanner_id():
> 
> "get_scanner_id: Scanner model = ...."
> 
> 
> It returns to the only place it is called, line 1817 in
> add_scanner().
> We don't get the error message (at line 1819) so it must next call
> the function determine_scanner_serial() which attempts to determine a
> "serial number" for the scanner.
> This could be one of a selection of things, so that might be the
> culprit, since it does some strcpy() calls in there, although we
> don't have any debug messages in there, so we don't really know how
> far it got before the buffer overrun struck :(
> 
> If it were me chasing this, I would add some more dbg messages to see
> how far it got, perhaps one after the call to
> determine_scanner_serial() to see if it returned to start off with.
> If it didn't some dbg in the function determine_scanner_serial() to
> see what it decided.
> 
> Cheers,
> Ralph

Could be, but it may also be caused by the call to
parse_IEEE1284_to_model at the end of get_scanner_id. The use of
BJNP_IEEE1284_MAX in the strcpy (already replaced by a mecpy)  may be
incorrect there. It probably should be a strlen(tok + 4). The next line
should be removed, so  the code reads (with a bit of readability
improvement:

tatic intparse_IEEE1284_to_model (char *scanner_id, char *model){/* *
parses the  IEEE1284  ID of the scanner to retrieve make and model * of
the scanner * Returns: 0 = not found *          1 = found, model is
set */
  char s[BJNP_IEEE1284_MAX];  char *tok;  char * model_str;
  strncpy (s, scanner_id, BJNP_IEEE1284_MAX);  s[BJNP_IEEE1284_MAX - 1]
= '\0';  model[0] = '\0';
  tok = strtok (s, ";");  while (tok != NULL)    {      /* MDL contains
make and model */
      if (strncmp (tok, "MDL:", 4) == 0)        {          model_str =
tok +4;          memcpy (model, model_str,
strlen(model_str));          return 1;        }      tok = strtok
(NULL, ";");    }  return 0;}
I will include this in my next push to git
BR, Louis

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://alioth-lists.debian.net/pipermail/sane-devel/attachments/20191104/e130f2a5/attachment.html>

More information about the sane-devel mailing list