[sane-devel] Canon ImageClass MF644Cdw

Ralph Little skelband at gmail.com
Thu Oct 31 23:31:44 GMT 2019


Hi,

On Thu, Oct 31, 2019 at 4:12 PM David McMahon <thedjm at gmail.com> wrote:

>
> Thanks for the clue!  Looking on that on the settings page of the printer,
> the hostname is the default of "Canoncbcab3" which seems harmless enough.
> I changed it to "Can" to see if that changed anything, but still getting
> the buffer overflow.
> If you have a link handy to that part of the code, can you point me to
> it?  Maybe it's something else right after the strcpy().
>
>

Hmm, that might have been slightly misleading.

I'm looking at backend/pixma_bjnp.c at line 801, which is where we see the
last successful debug message from the function get_scanner_id():

"get_scanner_id: Scanner model = ...."

It returns to the only place it is called, line 1817 in add_scanner().
We don't get the error message (at line 1819) so it must next call the
function determine_scanner_serial() which attempts to determine a "serial
number" for the scanner.
This could be one of a selection of things, so that might be the culprit,
since it does some strcpy() calls in there, although we don't have any
debug messages in there, so we don't really know how far it got before the
buffer overrun struck :(

If it were me chasing this, I would add some more dbg messages to see how
far it got, perhaps one after the call to determine_scanner_serial() to see
if it returned to start off with. If it didn't some dbg in the function
determine_scanner_serial() to see what it decided.

Cheers,
Ralph
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://alioth-lists.debian.net/pipermail/sane-devel/attachments/20191031/beb48a05/attachment.html>


More information about the sane-devel mailing list