Bug 1037565

+++ This bug was initially created as a clone of Bug #1033528 +++

Description of problem:
xinetd segfaults when connecting to tcpmux service.


Version-Release number of selected component (if applicable):
2:xinetd-2.3.15-8.fc19.x86_64


Steps to Reproduce:
1. enable tcpmux service
2. create a sample tcpmux-activated service

service test
{
   id = tcpmux-test
   disable = no
   socket_type = stream
   wait = no
   user = root
   type = TCPMUXPLUS UNLISTED
   server = /bin/uname
   server_args = uname -s -r -v
   flags = NAMEINARGS
}

The order of server_args and flags is important.

3. run xinetd
4. telnet <host> 1
5. type 'test' and enter


Actual results:
Segfault.


Expected results:
Service is run as expected.


Additional info:

(gdb) bt
#0  0x00007f8f5cbcc9a0 in __strrchr_sse42 () from /lib64/libc.so.6
#1  0x00007f8f5dc025ae in access_control (sp=sp@entry=0x7f8f5f0f31a0, cp=cp@entry=0x7f8f5f109880, check_mask=check_mask@entry=0x0) at access.c:236
#2  0x00007f8f5dc12453 in svc_child_access_control (sp=sp@entry=0x7f8f5f0f31a0, cp=cp@entry=0x7f8f5f109880) at service.c:913
#3  0x00007f8f5dc05065 in child_process (serp=0x7f8f5f0fd300) at child.c:347
#4  0x00007f8f5dc03ff6 in tcpmux_handler (serp=0x7f8f5f109920) at builtins.c:650
#5  0x00007f8f5dc052f2 in child_process (serp=serp@entry=0x7f8f5f109920) at child.c:434
#6  0x00007f8f5dc10981 in server_start (serp=serp@entry=0x7f8f5f109920) at server.c:222
#7  0x00007f8f5dc10a98 in server_run (sp=sp@entry=0x7f8f5f0f30f0, cp=cp@entry=0x7f8f5f109880) at server.c:173
#8  0x00007f8f5dc122c1 in svc_generic_handler (sp=sp@entry=0x7f8f5f0f30f0, cp=cp@entry=0x7f8f5f109880) at service.c:684
#9  0x00007f8f5dc12309 in svc_request (sp=0x7f8f5f0f30f0) at service.c:652
#10 0x00007f8f5dc02165 in main_loop () at main.c:229
#11 main (argc=<optimized out>, argv=<optimized out>) at main.c:107

(gdb) up
#1  0x00007f8f5dc025ae in access_control (sp=sp@entry=0x7f8f5f0f31a0, cp=cp@entry=0x7f8f5f109880, check_mask=check_mask@entry=0x0) at access.c:236
236	            server = strrchr( SC_SERVER_ARGV(scp)[0], '/' );

(gdb) p *scp->sc_server_argv@3
$1 = {0x0, 0x7f8f5f107a20 "uname", 0x0}

Apparently, the server arg is there, but it's offset by 1.

This looks like the NAMEINARGS argument never worked correctly. If it's specified, the first argument of server_args in the config is supposed to be argv[0] (the name of the server).

Xinetd parses and applies its configuration line by line. If a user wants to specify NAMEINARGS as a flag, it has to be *before* specifying 'server_args'.

Just swapping 'server_args' and 'flags' lines in our example is enough...

The only reasonable fix that comes into my mind is to exit if NAMEINARGS is used *after* server_args is set. And, of course, make this fact cleanly visible in the documentation.

The 'proper' fix would be to make the config parsing aware of every other option set. This would probably have to be done in two passes and IMHO is just not worth it.

--- Additional comment from Jan Synacek on 2013-11-22 11:24:25 CET ---

Disable service if NAMEINARGS is present in flags and is specified after server_args.

--- Additional comment from Jan Synacek on 2013-11-22 11:24:49 CET ---

Shift server arguments if NAMEINARGS flag is specified after server_args.

--- Additional comment from Jan Synacek on 2013-11-22 11:25:05 CET ---

I consider patch v1 somewhat cleaner solution to the problem.

--- Additional comment from Fedora Update System on 2013-12-03 11:23:58 CET ---

xinetd-2.3.15-10.fc20 has been submitted as an update for Fedora 20.
https://admin.fedoraproject.org/updates/xinetd-2.3.15-10.fc20