Bug 141110

Summary: bug in table_match leads to segfault of process executing hosts_ctl
Product: [Fedora] Fedora Reporter: Nikita Shulga <malfet>
Component: tcp_wrappersAssignee: Thomas Woerner <twoerner>
Status: CLOSED RAWHIDE QA Contact: David Lawrence <dkl>
Severity: medium Docs Contact:
Priority: medium    
Version: 3CC: md
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2005-05-06 13:29:28 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Attachments:
Description Flags
should fix this issue none

Description Nikita Shulga 2004-11-29 12:38:29 UTC
From Bugzilla Helper:
User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.7.5)
Gecko/20041111 Firefox/1.0

Description of problem:
It first occured with slapd deamon when I tried to run stress test on
ldap-server. If one opens too may connection to slapd process, slapd
will receive SEG_FAULT eventually
Last message submitted to the log before the crash is: 
slapd[xxxx]:  warning: cannot open /etc/hosts.allow: Too many open files
When I started to investigate that, I find out, that crash happens du
to the following bug in table_match function in tcp_wrappers:
int table_match(...)
{
  /*sh_cmd variable is declared but not initialized here*/
  match=NO;
 
  ...
  if ((fp=open())!=0) {
     ....
     /*Initialize sh_cmd here*/
     .... 
 } else if (errno != ENOENT) {
     tcpd_warn()
     match = ERR;
 }
 if (match) {
    /*Use sh_cmd here*/
 }
  ....
}

So, it was assumed by developer, that match variable should be equal
to YES  in later if, but it tests it as non-zero.
The following patch fixes this problem:
--- tcp_wrappers_7.6/hosts_access.c.orig        2004-11-29
15:16:26.532074984 +0300
+++ tcp_wrappers_7.6/hosts_access.c     2004-11-29 15:15:47.500008760
+0300
@@ -177,7 +177,7 @@
        tcpd_warn("cannot open %s: %m", table);
        match = ERR;
     }
-    if (match) {
+    if (match == YES) {
        if (hosts_access_verbose > 1)
            syslog(LOG_DEBUG, "matched:  %s line %d",
                   tcpd_context.file, tcpd_context.line);


Version-Release number of selected component (if applicable):
tcp_wrappers-7.6-37.2

How reproducible:
Always

Steps to Reproduce:
1.Make sure that you have hosts.allow and hosts.deny
2.Run slapd with DB large enough
3.Load it heavily, with something like this
while /bin/true; do
ldapsearch -x "objectClass=*"
done

    

Actual Results:  slapd crashes

Additional info:

Comment 1 Nikita Shulga 2004-11-29 16:50:44 UTC
Created attachment 107553 [details]
should fix this issue

After studying .spec file I'd like to add few more comments:
1) This bug was introduced by tcp_wrappers-7.6-sig.patch
2) Another misbehaviour was added by that patch in host_access function. 
Originally it's tail was:
    if (table_match(hosts_allow_table, request))	      
	return (YES);					      
    if (table_match(hosts_deny_table, request)) 	
	return (NO);					     
    return (YES);
					      
After tcp_wrappers-7.6-sig.patch it turned to:
    if (table_match(hosts_allow_table, request))	      
	return (YES);					      
    if (table_match(hosts_deny_table, request) == NO)	      
	return (YES);					      
    return (NO);					      
But it should be:
    if (table_match(hosts_allow_table, request) == YES) 	     
	return (YES);					      
    if (table_match(hosts_deny_table, request) == NO)	      
	return (YES);					      
    return (NO);					      

Patch to tcp_wrappers-7.6-37.2 which will fix both issue is attached to this
comment

Comment 2 Thomas Woerner 2005-05-06 13:29:28 UTC
Fixed in rawhide in rpm tcp_wrappers-7.6-39 or newer.