Hi, I've recently discovered that rlinetd hangs after it receives the SIGHUP or SIGTERM signals, making impossible to properly stop, reload or restart the service. The bug was introduced in previous upload and occurs only when at least one RPC service was configured. Strace shows that the bug is caused by memory corruption (BTW. I have no why glibc calls futex() instead of abort() in such cases; IMHO if rlinetd had dumped a core I would have seen the bug earlier): open("/dev/tty", O_RDWR|O_NONBLOCK|O_NOCTTY) = -1 ENXIO (No such device or address) writev(2, [{"*** glibc detected *** ", 23}, {"double free or corruption (out)", 31}, {": 0x", 4}, {"b7ed14f8", 8}, {" ***\n", 5}], 5) = -1 EBADF (Bad file descriptor) [ ... skipped ... ] futex(0xb7ed14c0, FUTEX_WAIT, 2, NULL Anyway I fixed the bug in 0.6-3 and I would ask you to allow the version to propagate to etch. The patch is quite simple, as it adds only two lines, both of them initialise to NULL the pointer passed to numlist_copy() (the first line solves this bug and the second one fixes similar bug, however not as serious as the first bug since it occurs only when rlinetd is configured in a rather strange way): diff -u rlinetd-0.6/grammar.y rlinetd-0.6/grammar.y --- rlinetd-0.6/grammar.y +++ rlinetd-0.6/grammar.y @@ -1249,6 +1249,7 @@ if (!p->data) rl_fatal(EX_SOFTWARE, "ABORT - Can't allocate memory"); p->type = RLC_UNRPC; + ((struct rlc_unrpc *)p->data)->vers = NULL; numlist_copy(&(((struct rlc_unrpc *)p->data)->vers), current_service->rpcvers); ((struct rlc_unrpc *)p->data)->prog = current_service->rpcnum; /* current_service->rpcvers = NULL;*/ /* caused segfault in the next iteration @@ -1350,6 +1351,7 @@ stringlist_copy(&to->port, from->port); stringlist_copy(&to->interface, from->interface); to->rpcname = from->rpcname ? strdup(from->rpcname) : NULL; + to->rpcvers = NULL; numlist_copy(&to->rpcvers, from->rpcvers); #ifdef HAVE_LIBCAP to->caps = from->caps ? cap_dup(from->caps) : NULL; diff -u rlinetd-0.6/debian/changelog rlinetd-0.6/debian/changelog --- rlinetd-0.6/debian/changelog +++ rlinetd-0.6/debian/changelog @@ -1,3 +1,18 @@ +rlinetd (0.6-3) unstable; urgency=high + + * grammar.y: fix stack corruption error, that prevented rlinetd from + stopping properly when RPC are enabled. The bug occurred in the + rlp_cleanup() function, was introduced in the previous release and + is caused by my misunderstanding of numlist_copy() function, which + joins two lists together rather than making a simple copy. + Simple NULL-ification of the destination list before the above function + is called fixes the problem. + * grammar.y: fix similar bug, that happens when the rpc token is used + in the "default" configuration section (however hardly likely anybody + will ever configure rlinetd in that way). + + -- Robert Luberda <robert@debian.org> Wed, 21 Mar 2007 23:21:31 +0100 + rlinetd (0.6-2) unstable; urgency=low * grammar.y: fix segmentation fault on RPC services for which getaddrinfo() Best Regards, robert
Attachment:
signature.asc
Description: Digital signature