Brother printers do not accept changes to default printer settings

Bug #537854 reported by rikster on 2010-03-12
This bug affects 6 people
Affects Status Importance Assigned to Milestone
brother-cups-wrapper-common (Ubuntu)

Bug Description

Binary package hint: brother-cups-wrapper-common

When printing a document there are device driver options that can be set via dialog windows such as whether to print in color/grayscale or the media size.

These options are passed from CUPS to a script appropriate for the specific Brother printer in /usr/lib/cups/filter/XXXX. The script, in turn, calls a symlink to the printer at /usr/Brother/Printer/XXX/cupswrapper/brcupsconfpt1. The symlinks for all of the bh7 printers, for example, point to the same executable of brcupsconfpt1 at /usr/Brother/Printer.

This C executable is badly written and is subject to buffer overflows if the length of the printer arguments passed to it is greater than 100. Thanks to gcc, most applications under Debian are compiled with stack smashing protection. This means the application silently dies without harm, but the printer options specified are not applied since the executable died before completion.

Ideally, Brother would write better device drivers without buffer overflow opportunities. In reality, I don't think they will get around to changing this anytime soon.

I have attached a patch which increases the size of the input buffer. It compiles and resolves the issue for me. The code is available from the Brother website and is licensed under the GPL. This modification should therefore be usable by Ubuntu.

ProblemType: Bug
Architecture: i386
Date: Thu Mar 11 20:32:50 2010
DistroRelease: Ubuntu 9.10
Package: brother-cups-wrapper-common 1.0.0-10-0ubuntu5
ProcVersionSignature: Ubuntu 2.6.31-20.57-generic
SourcePackage: brother-cups-wrapper-common
Uname: Linux 2.6.31-20-generic i686

rikster (lpad.nomad) wrote :
tags: added: patch
rikster (lpad.nomad) wrote :

This second patch is more robust than the first one. It uses strncpy rather than strcpy to guarantee that the program doesn't copy more bytes into a buffer than it has room for.

rikster (lpad.nomad) wrote :

The bug #423817, where a user encountered a buffer overflow followed by a segmentation fault in brcupsconfpt1, is probably caused by the same issue that the attached patch fixes.

rikster (lpad.nomad) wrote :

During compilation of the package gcc pointed out a location where the Brother drivers use an index which exceeds the array size. This problem could also cause a buffer overflow error, although it is separate from the problem previously reported. Nevertheless, it should probably be fixed at the same time when the patch above is applied.

Attached is a patch which corrects the coders misunderstanding about C arrays -- size runs from 1-MAXSIZE but array indexing runs from 0-MAXSIZE-1.

To post a comment you must log in.
This report contains Public information  Edit
Everyone can see this information.

Duplicates of this bug

Other bug subscribers