This service will be undergoing maintenance at 20:00 UTC, 2017-04-03. It is expected to last about 30 minutes
Bug 141110 - bug in table_match leads to segfault of process executing hosts_ctl
bug in table_match leads to segfault of process executing hosts_ctl
Status: CLOSED RAWHIDE
Product: Fedora
Classification: Fedora
Component: tcp_wrappers (Show other bugs)
3
All Linux
medium Severity medium
: ---
: ---
Assigned To: Thomas Woerner
David Lawrence
: Security
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2004-11-29 07:38 EST by Nikita Shulga
Modified: 2007-11-30 17:10 EST (History)
1 user (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2005-05-06 09:29:28 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)
should fix this issue (709 bytes, patch)
2004-11-29 11:50 EST, Nikita Shulga
no flags Details | Diff

  None (edit)
Description Nikita Shulga 2004-11-29 07:38:29 EST
From Bugzilla Helper:
User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.7.5)
Gecko/20041111 Firefox/1.0

Description of problem:
It first occured with slapd deamon when I tried to run stress test on
ldap-server. If one opens too may connection to slapd process, slapd
will receive SEG_FAULT eventually
Last message submitted to the log before the crash is: 
slapd[xxxx]:  warning: cannot open /etc/hosts.allow: Too many open files
When I started to investigate that, I find out, that crash happens du
to the following bug in table_match function in tcp_wrappers:
int table_match(...)
{
  /*sh_cmd variable is declared but not initialized here*/
  match=NO;
 
  ...
  if ((fp=open())!=0) {
     ....
     /*Initialize sh_cmd here*/
     .... 
 } else if (errno != ENOENT) {
     tcpd_warn()
     match = ERR;
 }
 if (match) {
    /*Use sh_cmd here*/
 }
  ....
}

So, it was assumed by developer, that match variable should be equal
to YES  in later if, but it tests it as non-zero.
The following patch fixes this problem:
--- tcp_wrappers_7.6/hosts_access.c.orig        2004-11-29
15:16:26.532074984 +0300
+++ tcp_wrappers_7.6/hosts_access.c     2004-11-29 15:15:47.500008760
+0300
@@ -177,7 +177,7 @@
        tcpd_warn("cannot open %s: %m", table);
        match = ERR;
     }
-    if (match) {
+    if (match == YES) {
        if (hosts_access_verbose > 1)
            syslog(LOG_DEBUG, "matched:  %s line %d",
                   tcpd_context.file, tcpd_context.line);


Version-Release number of selected component (if applicable):
tcp_wrappers-7.6-37.2

How reproducible:
Always

Steps to Reproduce:
1.Make sure that you have hosts.allow and hosts.deny
2.Run slapd with DB large enough
3.Load it heavily, with something like this
while /bin/true; do
ldapsearch -x "objectClass=*"
done

    

Actual Results:  slapd crashes

Additional info:
Comment 1 Nikita Shulga 2004-11-29 11:50:44 EST
Created attachment 107553 [details]
should fix this issue

After studying .spec file I'd like to add few more comments:
1) This bug was introduced by tcp_wrappers-7.6-sig.patch
2) Another misbehaviour was added by that patch in host_access function. 
Originally it's tail was:
    if (table_match(hosts_allow_table, request))	      
	return (YES);					      
    if (table_match(hosts_deny_table, request)) 	
	return (NO);					     
    return (YES);
					      
After tcp_wrappers-7.6-sig.patch it turned to:
    if (table_match(hosts_allow_table, request))	      
	return (YES);					      
    if (table_match(hosts_deny_table, request) == NO)	      
	return (YES);					      
    return (NO);					      
But it should be:
    if (table_match(hosts_allow_table, request) == YES) 	     
	return (YES);					      
    if (table_match(hosts_deny_table, request) == NO)	      
	return (YES);					      
    return (NO);					      

Patch to tcp_wrappers-7.6-37.2 which will fix both issue is attached to this
comment
Comment 2 Thomas Woerner 2005-05-06 09:29:28 EDT
Fixed in rawhide in rpm tcp_wrappers-7.6-39 or newer.

Note You need to log in before you can comment on or make changes to this bug.