Note: This bug is displayed in read-only format because the product is no longer active in Red Hat Bugzilla.
RHEL Engineering is moving the tracking of its product development work on RHEL 6 through RHEL 9 to Red Hat Jira (issues.redhat.com). If you're a Red Hat customer, please continue to file support cases via the Red Hat customer portal. If you're not, please head to the "RHEL project" in Red Hat Jira and file new tickets here. Individual Bugzilla bugs in the statuses "NEW", "ASSIGNED", and "POST" are being migrated throughout September 2023. Bugs of Red Hat partners with an assigned Engineering Partner Manager (EPM) are migrated in late September as per pre-agreed dates. Bugs against components "kernel", "kernel-rt", and "kpatch" are only migrated if still in "NEW" or "ASSIGNED". If you cannot log in to RH Jira, please consult article #7032570. That failing, please send an e-mail to the RH Jira admins at rh-issues@redhat.com to troubleshoot your issue as a user management inquiry. The email creates a ServiceNow ticket with Red Hat. Individual Bugzilla bugs that are migrated will be moved to status "CLOSED", resolution "MIGRATED", and set with "MigratedToJIRA" in "Keywords". The link to the successor Jira issue will be found under "Links", have a little "two-footprint" icon next to it, and direct you to the "RHEL project" in Red Hat Jira (issue links are of type "https://issues.redhat.com/browse/RHEL-XXXX", where "X" is a digit). This same link will be available in a blue banner at the top of the page informing you that that bug has been migrated.

Bug 1283925

Summary: segfault in network::TcpListener::TcpListener
Product: Red Hat Enterprise Linux 7 Reporter: Jim Minter <jminter>
Component: tigervncAssignee: Jan Grulich <jgrulich>
Status: CLOSED ERRATA QA Contact: Desktop QE <desktop-qa-list>
Severity: medium Docs Contact:
Priority: high    
Version: 7.2CC: alanm, ayadav, jcastran, jgrulich, J.H.Hodrien, jraising, jsbillin, pasteur, paulm, sengork, tpelka, yzeng
Target Milestone: rcKeywords: ZStream
Target Release: ---   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
: 1304700 (view as bug list) Environment:
Last Closed: 2016-11-04 01:29:30 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On:    
Bug Blocks: 1203710, 1297830, 1304700    
Attachments:
Description Flags
Patch to fix the crash in TcpListener none

Description Jim Minter 2015-11-20 10:03:05 UTC 
Description of problem:

Xvnc segfaults when launched from inetd

Version-Release number of selected component (if applicable):

Latest RHEL 7.2 - tigervnc-server-1.3.1-3.el7.x86_64

How reproducible:

Always

Steps to Reproduce:
1. Add following to /etc/xinetd.d/rfb:

service rfb
{
        protocol = tcp
        wait = no
        user = nobody
        server = /usr/bin/Xvnc
        server_args = -inetd -query localhost -once -SecurityTypes None
}

2. Attempt to vnc to box on :5900

Actual results:

VNC session fails to launch, Xvnc segfaults

Expected results:

VNC session launches, GDM screen presented (this worked fine in RHEL 7.1)

Additional info:

Running GDB on core file created shows segfault in this line:

Core was generated by `Xvnc -inetd -query localhost -once -SecurityTypes None'.
Program terminated with signal 11, Segmentation fault.
#0  network::TcpListener::TcpListener (this=0x7ffe72cbda20, listenaddr=0x0, listenaddrlen=6000)
    at /usr/src/debug/tigervnc-1.3.1/common/network/TcpSocket.cxx:426
426	  if ((sock = socket (listenaddr->sa_family, SOCK_STREAM, 0)) < 0)

It turns out that listenaddr is NULL.

(gdb) bt
#0  network::TcpListener::TcpListener (this=0x7ffe72cbda20, listenaddr=0x0, listenaddrlen=6000)
    at /usr/src/debug/tigervnc-1.3.1/common/network/TcpSocket.cxx:426
#1  0x000000000044794e in displayNumFree (num=num@entry=0) at xvnc.cc:355
#2  0x000000000044d2eb in ddxProcessArgument (argc=argc@entry=7, argv=argv@entry=0x7ffe72cbdd98, i=i@entry=1) at xvnc.cc:580
#3  0x00000000005bf34f in ProcessCommandLine (argc=argc@entry=7, argv=argv@entry=0x7ffe72cbdd98) at utils.c:689
#4  0x000000000056d629 in dix_main (argc=7, argv=0x7ffe72cbdd98, envp=0x7ffe72cbddd8) at main.c:146
#5  0x00007f0eef251b15 in __libc_start_main (main=0x449ad0 <main>, argc=7, ubp_av=0x7ffe72cbdd98, init=<optimized out>, fini=<optimized out>, 
    rtld_fini=<optimized out>, stack_end=0x7ffe72cbdd88) at libc-start.c:274
#6  0x000000000044ad8d in _start ()

In displayNumFree, the logic repeatedly tries to find a display number, but NULL is passed directly into network::TcpListener::TcpListener and then dereferenced.  This is a clear logic bug.

(gdb) l xvnc.cc:355
350	
351	static 
352	bool displayNumFree(int num)
353	{
354	    try {
355		network::TcpListener l(NULL, 6000+num);
356	    } catch (rdr::Exception& e) {
357		return false;
358	    }
359	    char file[256];

A sort of workaround is to change

        server_args = -inetd -query localhost -once -SecurityTypes None

to

        server_args = :1 -inetd -query localhost -once -SecurityTypes None

in /etc/xinetd.d/rfb, as this bypasses the flawed logic.  However this prevents multiple concurrent logins via VNC/XDM to the box.
Comment 2 Jonathan Billings 2015-12-07 16:25:20 UTC 
We have also encountered this bug.

You can trigger it by simply running:

/usr/bin/Xvnc -inetd
Comment 3 Jan Grulich 2015-12-09 08:34:29 UTC 
Created attachment 1103810 [details]
Patch to fix the crash in TcpListener

Here is proposed patch to fix this crash. It actually comes from upstream and I just forgot to backport this part to our IPv6 patch for tigervnc.
Comment 4 Jonathan Billings 2015-12-09 13:36:44 UTC 
I built a version of the package with that patch added, and have tested it on our systems that run Xvnc with the -inetd option, and they no longer segfault when starting, so I can confirm that the patch works.
Comment 5 John Hodrien 2016-01-11 12:25:02 UTC 
Another confirmation of the patch solving the problem.
Comment 7 Paul 2016-01-15 02:42:15 UTC 
We have two client sites that are experiencing this issue. VNC server is a critical component of our product. When would this patch be included in an official Red Hat update?
Comment 8 Jan Grulich 2016-01-28 08:28:45 UTC 
*** Bug 1302324 has been marked as a duplicate of this bug. ***
Comment 10 Jan Grulich 2016-02-02 20:29:31 UTC 
Fix commited to y-stream branch (rhel-7.3).
Comment 14 sengork 2016-05-18 06:07:51 UTC 
We too are affected by this bug. Please note that disabling IPv6 will not fix this issue.

We'd love to have this working again without any interim workarounds. When will this patch be released?
Comment 15 Jan Grulich 2016-05-18 07:48:14 UTC 
I don't know when this will be released, it is supposed to be fixed in RHEL 7.3 and RHEL 7.2 as z-stream fix.
Comment 16 Tomas Pelka 2016-05-18 08:31:57 UTC 
(In reply to Jan Grulich from comment #15)
> I don't know when this will be released, it is supposed to be fixed in RHEL
> 7.3 and RHEL 7.2 as z-stream fix.

As Jan mentioned the fix was published within 7.2.z, see https://rhn.redhat.com/errata/RHBA-2016-0543.html, it will be automatically included in upcomming 7.3 too.
Comment 21 errata-xmlrpc 2016-11-04 01:29:30 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://rhn.redhat.com/errata/RHBA-2016-2237.html
Comment 22 Jan Grulich 2017-01-20 06:06:03 UTC 
*** Bug 1415028 has been marked as a duplicate of this bug. ***