Hi!
> If inetd.conf is not set up properly to start saned, for example, if I
> specify the wrong path for saned :-( scanimage will crash on the remote
> machine with a seg fault. It may be true for any client, but I didn't
> try it.
The "bug" is, that not every sanei call tests the wire.status field.
Here, in sanei_w_init_reply sanei_w_status is callen. It requests 4
bytes (reply.status), receives none, ignores the error status and reads
4 bytes. Then sanei_w_word (reply.version_code) is callen and requests 4
bytes. Now sanei_w_space thinks, there are still -4 bytes in the buffer
(because sanei_w_status read 4 bytes which didn't exist) and call
memcpy(len = -4) which produces a SIGSEGV...
In this case, bin_w_word in sanei_codec_bin ignored the error code when
requesting 4 bytes.
To fix this bug, one would have to add a test for wire.status != 0 after
each sanei_w call in sanei_wire.c, sanei_net.c and sanei_codec_*.c
The backend net.c also contains such bugs because it calls sanei_w_*
functions without testing the wire.status afterwards...
-- jochen
-- Source code, list archive, and docs: http://www.mostang.com/sane/ To unsubscribe: echo unsubscribe sane-devel | mail majordomo@mostang.com
This archive was generated by hypermail 2b29 : Tue Jul 04 2000 - 04:58:52 PDT