Simple Printer Protocol. The service acts like a printer service, but obviously doesn't really print things. All of data are parsed, but most of them are left unused -- except for few fields used in queue state report.
- Print jobs - Receive print jobs - Manage print jobs (via control files) - See queue state - Remove jobs
One of the control subcommands is not securely handled.
Specifically, a user-provided argument to the 'T' (title for the document banner) control subcommand is used without the validity check on its length, causing a heap buffer overflow.
The overflow happens inside of job_t structure, which is located inside of a printer_t structure as part of an array. Right next to the array of jobs is a function pointer for 'tick' function.
By carefully choosing the job_id and title data, it is possible to achieve an arbitrary code execution.
Generic class of vulnerability
CWE-122: Heap-based Buffer Overflow
There are many possible subcommands available for control file. There is one case that isn't properly guarded.