From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: X-Original-To: poffice@blade.nagaokaut.ac.jp Delivered-To: poffice@blade.nagaokaut.ac.jp Received: from kankan.nagaokaut.ac.jp (kankan.nagaokaut.ac.jp [133.44.2.24]) by blade.nagaokaut.ac.jp (Postfix) with ESMTP id 5E2C71960048 for ; Thu, 25 Jun 2015 16:58:18 +0900 (JST) Received: from funfun.nagaokaut.ac.jp (smtp.nagaokaut.ac.jp [133.44.2.201]) by kankan.nagaokaut.ac.jp (Postfix) with ESMTP id 85684B5D89F for ; Thu, 25 Jun 2015 17:22:31 +0900 (JST) Received: from funfun.nagaokaut.ac.jp (localhost.nagaokaut.ac.jp [127.0.0.1]) by funfun.nagaokaut.ac.jp (Postfix) with ESMTP id 85C4B97A838 for ; Thu, 25 Jun 2015 17:22:33 +0900 (JST) X-Virus-Scanned: amavisd-new at nagaokaut.ac.jp Received: from funfun.nagaokaut.ac.jp ([127.0.0.1]) by funfun.nagaokaut.ac.jp (funfun.nagaokaut.ac.jp [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id fQwqW3hu9ppy for ; Thu, 25 Jun 2015 17:22:33 +0900 (JST) Received: from voscc.nagaokaut.ac.jp (voscc.nagaokaut.ac.jp [133.44.1.100]) by funfun.nagaokaut.ac.jp (Postfix) with ESMTP id 64D8697A836 for ; Thu, 25 Jun 2015 17:22:33 +0900 (JST) Received: from neon.ruby-lang.org (neon.ruby-lang.org [221.186.184.75]) by voscc.nagaokaut.ac.jp (Postfix) with ESMTP id 55BD6952443 for ; Thu, 25 Jun 2015 17:22:30 +0900 (JST) Received: from [221.186.184.76] (localhost [IPv6:::1]) by neon.ruby-lang.org (Postfix) with ESMTP id 6E53F120457; Thu, 25 Jun 2015 17:22:29 +0900 (JST) X-Original-To: ruby-core@ruby-lang.org Delivered-To: ruby-core@ruby-lang.org Received: from dcvr.yhbt.net (dcvr.yhbt.net [64.71.152.64]) by neon.ruby-lang.org (Postfix) with ESMTP id A3DF9120419 for ; Thu, 25 Jun 2015 17:22:24 +0900 (JST) Received: from localhost (dcvr.yhbt.net [127.0.0.1]) by dcvr.yhbt.net (Postfix) with ESMTP id AA4021FAE3; Thu, 25 Jun 2015 08:22:23 +0000 (UTC) Date: Thu, 25 Jun 2015 08:22:23 +0000 From: Eric Wong To: Ruby developers Message-ID: <20150625082223.GA26549@dcvr.yhbt.net> References: MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: X-ML-Name: ruby-core X-Mail-Count: 69737 Subject: [ruby-core:69737] Re: [Ruby trunk - Bug #11306] [Open] Segmentation fault X-BeenThere: ruby-core@ruby-lang.org X-Mailman-Version: 2.1.15 Precedence: list Reply-To: Ruby developers List-Id: Ruby developers List-Unsubscribe: , List-Post: List-Help: List-Subscribe: , Errors-To: ruby-core-bounces@ruby-lang.org Sender: "ruby-core" dsaronin@gmail.com wrote: > static VALUE cups_get_device_uri(VALUE self, VALUE printer) > { > if (!printer_exists(printer)) > { > rb_raise(rb_eRuntimeError, "The printer or destination doesn't exist!"); > } > > VALUE options_list; > http_t *http; > ipp_t *request; > ipp_t *response; > ipp_attribute_t *attr; > char uri[1024]; > char *location; > char *name = RSTRING_PTR(printer); You want to use StringValueCStr or StringValuePtr when you see untrusted user-input instead of RSTRING_PTR. RSTRING_PTR will segfault if the user calls a function with a non-String. > request = ippNewRequest(IPP_GET_PRINTER_ATTRIBUTES); > httpAssembleURIf(HTTP_URI_CODING_ALL, uri, sizeof(uri), "ipp", NULL, "localhost", 0, "/printers/%s", name); You also need to add a GC guard for VALUE where you got `name' from after the last use of `name' in your function: RB_GC_GUARD(printer); Nowadays with better optimizing compilers, the `volatile' type qualifier for args in the StringValue* family functions is insufficient to protect VALUEs from inadvertant GC. RB_GC_GUARD must be used. See doc/extension.rdoc in the latest Ruby trunk or README.EXT in the 2.2 source tarball for more info on these APIs And feel free to ask for clarification here on the ruby-core ML. > cups.c (14.2 KB) Lots of similar problems in cups.c too. The same pattern described above needs to happen with RSTRING_PTR => StringValueCStr/StringValuePtr and the addition of RB_GC_GUARD calls after the last access to the underlying pointer. There may be other problems in the code, too, but these are the ones that jumped out to my tired, sleepy eyes...