RHEL Engineering is moving the tracking of its product development work on RHEL 6 through RHEL 9 to Red Hat Jira (issues.redhat.com). If you're a Red Hat customer, please continue to file support cases via the Red Hat customer portal. If you're not, please head to the "RHEL project" in Red Hat Jira and file new tickets here. Individual Bugzilla bugs in the statuses "NEW", "ASSIGNED", and "POST" are being migrated throughout September 2023. Bugs of Red Hat partners with an assigned Engineering Partner Manager (EPM) are migrated in late September as per pre-agreed dates. Bugs against components "kernel", "kernel-rt", and "kpatch" are only migrated if still in "NEW" or "ASSIGNED". If you cannot log in to RH Jira, please consult article #7032570. That failing, please send an e-mail to the RH Jira admins at rh-issues@redhat.com to troubleshoot your issue as a user management inquiry. The email creates a ServiceNow ticket with Red Hat. Individual Bugzilla bugs that are migrated will be moved to status "CLOSED", resolution "MIGRATED", and set with "MigratedToJIRA" in "Keywords". The link to the successor Jira issue will be found under "Links", have a little "two-footprint" icon next to it, and direct you to the "RHEL project" in Red Hat Jira (issue links are of type "https://issues.redhat.com/browse/RHEL-XXXX", where "X" is a digit). This same link will be available in a blue banner at the top of the page informing you that that bug has been migrated.
Bug 1037565 - xinetd segfaults when connecting to tcpmux service
Summary: xinetd segfaults when connecting to tcpmux service
Keywords:
Status: CLOSED CURRENTRELEASE
Alias: None
Product: Red Hat Enterprise Linux 7
Classification: Red Hat
Component: xinetd
Version: 7.0
Hardware: Unspecified
OS: Unspecified
unspecified
unspecified
Target Milestone: rc
: ---
Assignee: Jan Synacek
QA Contact: Robin Hack
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2013-12-03 11:34 UTC by Jan Synacek
Modified: 2014-06-18 01:13 UTC (History)
2 users (show)

Fixed In Version: xinetd-2.3.15-9.el7
Doc Type: Bug Fix
Doc Text:
Clone Of: 1033528
Environment:
Last Closed: 2014-06-13 12:43:01 UTC
Target Upstream Version:
Embargoed:

Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Red Hat Bugzilla 1029208 0 unspecified CLOSED xinetd segfaults when connecting to tcpmux service 2021-02-22 00:41:40 UTC

Internal Links: 1029208

Description Jan Synacek 2013-12-03 11:34:45 UTC 
+++ This bug was initially created as a clone of Bug #1033528 +++

Description of problem:
xinetd segfaults when connecting to tcpmux service.


Version-Release number of selected component (if applicable):
2:xinetd-2.3.15-8.fc19.x86_64


Steps to Reproduce:
1. enable tcpmux service
2. create a sample tcpmux-activated service

service test
{
   id = tcpmux-test
   disable = no
   socket_type = stream
   wait = no
   user = root
   type = TCPMUXPLUS UNLISTED
   server = /bin/uname
   server_args = uname -s -r -v
   flags = NAMEINARGS
}

The order of server_args and flags is important.

3. run xinetd
4. telnet <host> 1
5. type 'test' and enter


Actual results:
Segfault.


Expected results:
Service is run as expected.


Additional info:

(gdb) bt
#0  0x00007f8f5cbcc9a0 in __strrchr_sse42 () from /lib64/libc.so.6
#1  0x00007f8f5dc025ae in access_control (sp=sp@entry=0x7f8f5f0f31a0, cp=cp@entry=0x7f8f5f109880, check_mask=check_mask@entry=0x0) at access.c:236
#2  0x00007f8f5dc12453 in svc_child_access_control (sp=sp@entry=0x7f8f5f0f31a0, cp=cp@entry=0x7f8f5f109880) at service.c:913
#3  0x00007f8f5dc05065 in child_process (serp=0x7f8f5f0fd300) at child.c:347
#4  0x00007f8f5dc03ff6 in tcpmux_handler (serp=0x7f8f5f109920) at builtins.c:650
#5  0x00007f8f5dc052f2 in child_process (serp=serp@entry=0x7f8f5f109920) at child.c:434
#6  0x00007f8f5dc10981 in server_start (serp=serp@entry=0x7f8f5f109920) at server.c:222
#7  0x00007f8f5dc10a98 in server_run (sp=sp@entry=0x7f8f5f0f30f0, cp=cp@entry=0x7f8f5f109880) at server.c:173
#8  0x00007f8f5dc122c1 in svc_generic_handler (sp=sp@entry=0x7f8f5f0f30f0, cp=cp@entry=0x7f8f5f109880) at service.c:684
#9  0x00007f8f5dc12309 in svc_request (sp=0x7f8f5f0f30f0) at service.c:652
#10 0x00007f8f5dc02165 in main_loop () at main.c:229
#11 main (argc=<optimized out>, argv=<optimized out>) at main.c:107

(gdb) up
#1  0x00007f8f5dc025ae in access_control (sp=sp@entry=0x7f8f5f0f31a0, cp=cp@entry=0x7f8f5f109880, check_mask=check_mask@entry=0x0) at access.c:236
236	            server = strrchr( SC_SERVER_ARGV(scp)[0], '/' );

(gdb) p *scp->sc_server_argv@3
$1 = {0x0, 0x7f8f5f107a20 "uname", 0x0}

Apparently, the server arg is there, but it's offset by 1.

This looks like the NAMEINARGS argument never worked correctly. If it's specified, the first argument of server_args in the config is supposed to be argv[0] (the name of the server).

Xinetd parses and applies its configuration line by line. If a user wants to specify NAMEINARGS as a flag, it has to be *before* specifying 'server_args'.

Just swapping 'server_args' and 'flags' lines in our example is enough...

The only reasonable fix that comes into my mind is to exit if NAMEINARGS is used *after* server_args is set. And, of course, make this fact cleanly visible in the documentation.

The 'proper' fix would be to make the config parsing aware of every other option set. This would probably have to be done in two passes and IMHO is just not worth it.

--- Additional comment from Jan Synacek on 2013-11-22 11:24:25 CET ---

Disable service if NAMEINARGS is present in flags and is specified after server_args.

--- Additional comment from Jan Synacek on 2013-11-22 11:24:49 CET ---

Shift server arguments if NAMEINARGS flag is specified after server_args.

--- Additional comment from Jan Synacek on 2013-11-22 11:25:05 CET ---

I consider patch v1 somewhat cleaner solution to the problem.

--- Additional comment from Fedora Update System on 2013-12-03 11:23:58 CET ---

xinetd-2.3.15-10.fc20 has been submitted as an update for Fedora 20.
https://admin.fedoraproject.org/updates/xinetd-2.3.15-10.fc20
Comment 4 Ludek Smid 2014-06-13 12:43:01 UTC 
This request was resolved in Red Hat Enterprise Linux 7.0.

Contact your manager or support representative in case you have further questions about the request.
Note You need to log in before you can comment on or make changes to this bug.