Bug 141110 - bug in table_match leads to segfault of process executing hosts_ctl
Summary: bug in table_match leads to segfault of process executing hosts_ctl
Keywords:
Status: CLOSED RAWHIDE
Alias: None
Product: Fedora
Classification: Fedora
Component: tcp_wrappers
Version: 3
Hardware: All
OS: Linux
medium
medium
Target Milestone: ---
Assignee: Thomas Woerner
QA Contact: David Lawrence
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2004-11-29 12:38 UTC by Nikita Shulga
Modified: 2007-11-30 22:10 UTC (History)
1 user (show)

Fixed In Version:
Clone Of:
Environment:
Last Closed: 2005-05-06 13:29:28 UTC
Type: ---
Embargoed:


Attachments (Terms of Use)
should fix this issue (709 bytes, patch)
2004-11-29 16:50 UTC, Nikita Shulga
no flags Details | Diff

Description Nikita Shulga 2004-11-29 12:38:29 UTC
From Bugzilla Helper:
User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.7.5)
Gecko/20041111 Firefox/1.0

Description of problem:
It first occured with slapd deamon when I tried to run stress test on
ldap-server. If one opens too may connection to slapd process, slapd
will receive SEG_FAULT eventually
Last message submitted to the log before the crash is: 
slapd[xxxx]:  warning: cannot open /etc/hosts.allow: Too many open files
When I started to investigate that, I find out, that crash happens du
to the following bug in table_match function in tcp_wrappers:
int table_match(...)
{
  /*sh_cmd variable is declared but not initialized here*/
  match=NO;
 
  ...
  if ((fp=open())!=0) {
     ....
     /*Initialize sh_cmd here*/
     .... 
 } else if (errno != ENOENT) {
     tcpd_warn()
     match = ERR;
 }
 if (match) {
    /*Use sh_cmd here*/
 }
  ....
}

So, it was assumed by developer, that match variable should be equal
to YES  in later if, but it tests it as non-zero.
The following patch fixes this problem:
--- tcp_wrappers_7.6/hosts_access.c.orig        2004-11-29
15:16:26.532074984 +0300
+++ tcp_wrappers_7.6/hosts_access.c     2004-11-29 15:15:47.500008760
+0300
@@ -177,7 +177,7 @@
        tcpd_warn("cannot open %s: %m", table);
        match = ERR;
     }
-    if (match) {
+    if (match == YES) {
        if (hosts_access_verbose > 1)
            syslog(LOG_DEBUG, "matched:  %s line %d",
                   tcpd_context.file, tcpd_context.line);


Version-Release number of selected component (if applicable):
tcp_wrappers-7.6-37.2

How reproducible:
Always

Steps to Reproduce:
1.Make sure that you have hosts.allow and hosts.deny
2.Run slapd with DB large enough
3.Load it heavily, with something like this
while /bin/true; do
ldapsearch -x "objectClass=*"
done

    

Actual Results:  slapd crashes

Additional info:

Comment 1 Nikita Shulga 2004-11-29 16:50:44 UTC
Created attachment 107553 [details]
should fix this issue

After studying .spec file I'd like to add few more comments:
1) This bug was introduced by tcp_wrappers-7.6-sig.patch
2) Another misbehaviour was added by that patch in host_access function. 
Originally it's tail was:
    if (table_match(hosts_allow_table, request))	      
	return (YES);					      
    if (table_match(hosts_deny_table, request)) 	
	return (NO);					     
    return (YES);
					      
After tcp_wrappers-7.6-sig.patch it turned to:
    if (table_match(hosts_allow_table, request))	      
	return (YES);					      
    if (table_match(hosts_deny_table, request) == NO)	      
	return (YES);					      
    return (NO);					      
But it should be:
    if (table_match(hosts_allow_table, request) == YES) 	     
	return (YES);					      
    if (table_match(hosts_deny_table, request) == NO)	      
	return (YES);					      
    return (NO);					      

Patch to tcp_wrappers-7.6-37.2 which will fix both issue is attached to this
comment

Comment 2 Thomas Woerner 2005-05-06 13:29:28 UTC
Fixed in rawhide in rpm tcp_wrappers-7.6-39 or newer.


Note You need to log in before you can comment on or make changes to this bug.