Bug 187069

Summary: Crash on start-up when VPNC running
Product: [Fedora] Fedora Reporter: Tim Waugh <twaugh>
Component: vncAssignee: Radek Vokál <rvokal>
Status: CLOSED RAWHIDE QA Contact: David Lawrence <dkl>
Severity: medium Docs Contact:
Priority: medium    
Version: 5CC: esteban.xandri, karl, nphilipp
Target Milestone: ---   
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: 4.1.1-38 Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2006-05-10 14:19:19 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Tim Waugh 2006-03-28 08:18:24 UTC 
Description of problem:
When VPNC is running, Xvnc crashes on start-up.  It's something to do with the
'tun0' interface.

Version-Release number of selected component (if applicable):
vnc-server-4.1.1-36

How reproducible:
100%

Steps to Reproduce:
1. Start vpnc
2. Xvnc :2
  
Actual results:
[tim@cyberelk ~]$ /sbin/ifconfig tun0
tun0      Link encap:UNSPEC  HWaddr 00-00-00-00-00-00-00-00-00-00-00-00-00-00-00-00
          inet addr:172.16.83.149  P-t-P:172.16.83.149  Mask:255.255.255.255
          UP POINTOPOINT RUNNING NOARP MULTICAST  MTU:1412  Metric:1
          RX packets:758 errors:0 dropped:0 overruns:0 frame:0
          TX packets:935 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:500
          RX bytes:268878 (262.5 KiB)  TX bytes:70967 (69.3 KiB)

[tim@cyberelk ~]$ gdb --args Xvnc :2
GNU gdb Red Hat Linux (6.3.0.0-1.122rh)
Copyright 2004 Free Software Foundation, Inc.
GDB is free software, covered by the GNU General Public License, and you are
welcome to change it and/or distribute copies of it under certain conditions.
Type "show copying" to see the conditions.
There is absolutely no warranty for GDB.  Type "show warranty" for details.
This GDB was configured as "x86_64-redhat-linux-gnu"...Using host libthread_db
library "/lib64/libthread_db.so.1".

(gdb) r
Starting program: /usr/bin/Xvnc :2

Program received signal SIGSEGV, Segmentation fault.
ConvertAddr (saddr=0x0, len=0x7fffff9b44ec, addr=0x7fffff9b44d8)
    at access.c:1861
1861        switch (saddr->sa_family)
(gdb) up
#1  0x0000000000519aa8 in DefineSelf (fd=Variable "fd" is not available.
) at access.c:983
983             family = ConvertAddr(ifr->ifa_addr, &len, (pointer *)&addr);
(gdb) p *ifr
$1 = {ifa_next = 0x7aac40, ifa_name = 0x7aac2c "tun0", ifa_flags = 4305,
  ifa_addr = 0x0, ifa_netmask = 0x0, ifa_ifu = {ifu_broadaddr = 0x0,
    ifu_dstaddr = 0x0}, ifa_data = 0x7ab210}
(gdb) bt
#0  ConvertAddr (saddr=0x0, len=0x7fffff9b44ec, addr=0x7fffff9b44d8)
    at access.c:1861
#1  0x0000000000519aa8 in DefineSelf (fd=Variable "fd" is not available.
) at access.c:983
#2  0x000000000051bb73 in CreateWellKnownSockets () at connection.c:432
#3  0x0000000000436590 in main (argc=2, argv=0x7fffff9b46e8,
    envp=0x7fffff9b4700) at main.c:318
#4  0x000000376d71d084 in __libc_start_main () from /lib64/libc.so.6
#5  0x00000000004159f9 in _start ()
#6  0x00007fffff9b46d8 in ?? ()
#7  0x0000000000000000 in ?? ()
Comment 1 Shane Stixrud 2006-04-20 01:37:12 UTC 
I am having the same problem.  This also occurs when using openvpn (from extras).
Comment 2 karl kleinpaste 2006-04-27 01:19:13 UTC 
I see this conflict with opevpn as well.  The specific symptom is that
getifaddrs() returns a set of interfaces within which the "tun0" entry has a
null "ifa_addr" pointer.

There are 3 possible places where the real bug may lie:
[1] In VNC's unix/xorg-server-1.0.1/os/access.c:DefineSelf()'s failure to handle
this case, if it is normal;
[2] In getifaddrs() having dared to return such a null pointer, if it is not
normal (in which case, this is actually a glibc bug?); or
[3] In the kernel's tun.c tunnel driver, if it failed to fill in returned
structures properly when queried for data about tun0.

I don't have time to dive deeply into this, but a simple-minded fix for the
first case is this (from the -36 source RPM):

--- unix/xorg-server-1.0.1/os/access.c~ 2005-11-08 01:33:30.000000000 -0500
+++ unix/xorg-server-1.0.1/os/access.c  2006-04-26 20:58:33.000000000 -0400
@@ -980,7 +980,9 @@
            continue;
 #endif /* DNETCONN */
        len = sizeof(*(ifr->ifa_addr));
-       family = ConvertAddr(ifr->ifa_addr, &len, (pointer *)&addr);
+       family = (ifr->ifa_addr ?
+                 ConvertAddr(ifr->ifa_addr, &len, (pointer *)&addr)
+                 : -1);
        if (family == -1 || family == FamilyLocal)
            continue;
 #if defined(IPv6) && defined(AF_INET6)

This works, but my suspicion is that the real problem is in getifaddrs().  It
seems to me that it is unreasonable to be returned a list of active interfaces
which fail to contain valid pointers to addressing structures.
Comment 3 Jitka Kozana 2006-04-28 12:56:13 UTC 
I was trying to find out, what the reason of the NULL pointer was.    
Whatever it was -- if it is really a bug (to return NULL in this case), I   
believe we will soon find out.
Comment 4 Jitka Kozana 2006-05-10 14:19:19 UTC 
The problem now should be fixed in version 4.1.1-38.
Comment 5 Jitka Kozana 2006-05-10 14:21:07 UTC 
*** Bug 187607 has been marked as a duplicate of this bug. ***