> This is the fix:
> 351c351
> <               (void)snprintf(cp, len - (cp - s) - 2, " %d", requ[i]);
> ---
> >               (void)snprintf(cp, len - (cp - s) , " %d", requ[i]);
> 362,363c362,363
> <       } else {
> <               if (write(rem, s, len) != i)
> ---
> >       } else { 
> >               if (write(rem, s, len) != len)
> 
> The second prevents communication (the result is of the wrong length) and the
> first sends only the printer and the user name (not the job that is to be
> removed).

The latter fix appears correct, but the former is not (it allows
a buffer overflow).

I've just committed a fix to the source tree which solves the problem
for me.  If you continue to have problems, please send me mail about
them.  Also, if you'd like a copy of my patch so that you don't have
to wait until tomorrow to test it, get in touch.  8-)


chris