Hi,
I've recently discovered that rlinetd hangs after it receives the
SIGHUP or SIGTERM signals, making impossible to properly stop, reload
or restart the service. The bug was introduced in previous upload and
occurs only when at least one RPC service was configured.
Strace shows that the bug is caused by memory corruption (BTW. I have no
why glibc calls futex() instead of abort() in such cases; IMHO if rlinetd
had dumped a core I would have seen the bug earlier):
open("/dev/tty", O_RDWR|O_NONBLOCK|O_NOCTTY) = -1 ENXIO (No such device
or address)
writev(2, [{"*** glibc detected *** ", 23}, {"double free or corruption
(out)", 31}, {": 0x", 4}, {"b7ed14f8", 8}, {" ***\n", 5}], 5) = -1 EBADF
(Bad file descriptor)
[ ... skipped ... ]
futex(0xb7ed14c0, FUTEX_WAIT, 2, NULL
Anyway I fixed the bug in 0.6-3 and I would ask you to allow the version
to propagate to etch.
The patch is quite simple, as it adds only two lines, both of them initialise
to NULL the pointer passed to numlist_copy() (the first line solves this
bug and the second one fixes similar bug, however not as serious as the
first bug since it occurs only when rlinetd is configured in a rather strange
way):
diff -u rlinetd-0.6/grammar.y rlinetd-0.6/grammar.y
--- rlinetd-0.6/grammar.y
+++ rlinetd-0.6/grammar.y
@@ -1249,6 +1249,7 @@
if (!p->data)
rl_fatal(EX_SOFTWARE, "ABORT - Can't allocate memory");
p->type = RLC_UNRPC;
+ ((struct rlc_unrpc *)p->data)->vers = NULL;
numlist_copy(&(((struct rlc_unrpc *)p->data)->vers), current_service->rpcvers);
((struct rlc_unrpc *)p->data)->prog = current_service->rpcnum;
/* current_service->rpcvers = NULL;*/ /* caused segfault in the next iteration
@@ -1350,6 +1351,7 @@
stringlist_copy(&to->port, from->port);
stringlist_copy(&to->interface, from->interface);
to->rpcname = from->rpcname ? strdup(from->rpcname) : NULL;
+ to->rpcvers = NULL;
numlist_copy(&to->rpcvers, from->rpcvers);
#ifdef HAVE_LIBCAP
to->caps = from->caps ? cap_dup(from->caps) : NULL;
diff -u rlinetd-0.6/debian/changelog rlinetd-0.6/debian/changelog
--- rlinetd-0.6/debian/changelog
+++ rlinetd-0.6/debian/changelog
@@ -1,3 +1,18 @@
+rlinetd (0.6-3) unstable; urgency=high
+
+ * grammar.y: fix stack corruption error, that prevented rlinetd from
+ stopping properly when RPC are enabled. The bug occurred in the
+ rlp_cleanup() function, was introduced in the previous release and
+ is caused by my misunderstanding of numlist_copy() function, which
+ joins two lists together rather than making a simple copy.
+ Simple NULL-ification of the destination list before the above function
+ is called fixes the problem.
+ * grammar.y: fix similar bug, that happens when the rpc token is used
+ in the "default" configuration section (however hardly likely anybody
+ will ever configure rlinetd in that way).
+
+ -- Robert Luberda <robert@debian.org> Wed, 21 Mar 2007 23:21:31 +0100
+
rlinetd (0.6-2) unstable; urgency=low
* grammar.y: fix segmentation fault on RPC services for which getaddrinfo()
Best Regards,
robert
Attachment:
signature.asc
Description: Digital signature