From nick@milla.ask33.net  Tue Jan 21 11:47:28 2003
Return-Path: <nick@milla.ask33.net>
Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125])
	by hub.freebsd.org (Postfix) with ESMTP id 723A337B401
	for <FreeBSD-gnats-submit@freebsd.org>; Tue, 21 Jan 2003 11:47:28 -0800 (PST)
Received: from milla.ask33.net (milla.ask33.net [217.197.166.60])
	by mx1.FreeBSD.org (Postfix) with ESMTP id 612B443F1E
	for <FreeBSD-gnats-submit@freebsd.org>; Tue, 21 Jan 2003 11:47:27 -0800 (PST)
	(envelope-from nick@milla.ask33.net)
Received: by milla.ask33.net (Postfix, from userid 1001)
	id 7F7EF3ABD6C; Tue, 21 Jan 2003 20:48:14 +0100 (CET)
Message-Id: <20030121194814.GQ9430@garage.freebsd.pl>
Date: Tue, 21 Jan 2003 20:48:14 +0100
From: Pawel Jakub Dawidek <nick@garage.freebsd.pl>
Reply-To: Pawel Jakub Dawidek <nick@garage.freebsd.pl>
To: FreeBSD-gnats-submit@freebsd.org
Cc: Pawel Jakub Dawidek <nick@garage.freebsd.pl>
Subject: Segfault in inetd(8).
X-Send-Pr-Version: 3.113

>Number:         47313
>Category:       bin
>Synopsis:       Segfault in inetd(8).
>Confidential:   no
>Severity:       serious
>Priority:       medium
>Responsible:    ume
>State:          closed
>Quarter:        
>Keywords:       
>Date-Required:  
>Class:          sw-bug
>Submitter-Id:   current-users
>Arrival-Date:   Tue Jan 21 11:50:02 PST 2003
>Closed-Date:    Sun Feb 16 08:15:22 PST 2003
>Last-Modified:  Sun Feb 16 08:15:22 PST 2003
>Originator:     Pawel Jakub Dawidek
>Release:        FreeBSD 4.7-STABLE i386
>Organization:
CerbNG group.
>Environment:
System: FreeBSD leila.mikrus.pw.edu.pl 4.7-STABLE FreeBSD 4.7-STABLE #20: Mon Jan 20 23:21:30 CET 2003 root@leila.mikrus.pw.edu.pl:/usr/obj/usr/src/sys/LEILA i386


>Description:
	In some causes inetd(8) coredumps. I'm running inetd(8)
	with '-wWl' flags.

	Problem is in line 736 in inetd.c. syslog(3) is called there
	and one of its argument is:

	(((struct sockaddr *)req.client->sin)->sa_family == AF_INET6 && !IN6_IS_ADDR_V4MAPPED(&((struct sockaddr_in6 *)req.client->sin)->sin6_addr)) ? "6" : "");

	And here req.client->sin could be NULL.

>How-To-Repeat:
	I'm not quite sure. With some changes we got:

	[...] leila inetd[1323]: warning: can't get client address: Connection reset by peer
	[...] leila inetd[1323]: WE GOT NULL! <orginally here we got core dump>
	[...] leila inetd[1323]: connection from unknown, service ftpd (tcp)

>Fix:
	I'm not sure if this is a fix. Maybe workaround only, because
	req.client->sin should never be NULL?


--- inetd.c.orig	Wed Aug 21 12:00:24 2002
+++ inetd.c	Tue Jan 21 20:28:25 2003
@@ -736,7 +736,8 @@
 				    syslog(allow_severity,
 				        "connection from %.500s, service %s (%s%s)",
 					eval_client(&req), service, sep->se_proto,
-					(((struct sockaddr *)req.client->sin)->sa_family == AF_INET6 && !IN6_IS_ADDR_V4MAPPED(&((struct sockaddr_in6 *)req.client->sin)->sin6_addr)) ? "6" : "");
+					(req.client->sin != NULL && ((struct sockaddr *)req.client->sin)->sa_family == AF_INET6 &&
+					 !IN6_IS_ADDR_V4MAPPED(&((struct sockaddr_in6 *)req.client->sin)->sin6_addr)) ? "6" : "");
 				}
 			    }
 			    if (sep->se_bi) {
>Release-Note:
>Audit-Trail:
Responsible-Changed-From-To: freebsd-bugs->dwmalone 
Responsible-Changed-By: dwmalone 
Responsible-Changed-When: Wed Feb 5 04:43:58 PST 2003 
Responsible-Changed-Why:  
I'll have a look at this. 

http://www.freebsd.org/cgi/query-pr.cgi?pr=47313 
State-Changed-From-To: open->feedback 
State-Changed-By: dwmalone 
State-Changed-When: Sun Feb 9 12:27:50 PST 2003 
State-Changed-Why:  
I believe your analysis is correct, if a connection is closed before 
the address can be determined then the pointer may be NULL. I've produced 
a patch which covers this and a couple of other problems. I wonder if 
you could cast your eye over it and make sure I have made a change you 
think is correct. If you could test it, that would be even better. 

The patch is at: 
http://www.maths.tcd.ie/~dwmalone/inetd-stable.patch 
and	http://www.maths.tcd.ie/~dwmalone/inetd-current.patch 

David. 

http://www.freebsd.org/cgi/query-pr.cgi?pr=47313 
Responsible-Changed-From-To: dwmalone->ume 
Responsible-Changed-By: dwmalone 
Responsible-Changed-When: Thu Feb 13 10:35:40 PST 2003 
Responsible-Changed-Why:  
UMEMOTO-san has just committed a patch to -current and will MFC shortly. 

http://www.freebsd.org/cgi/query-pr.cgi?pr=47313 
State-Changed-From-To: feedback->closed 
State-Changed-By: ume 
State-Changed-When: Sun Feb 16 08:14:03 PST 2003 
State-Changed-Why:  
I committed the fix into 5-CURRENT and 4-STABLE. 

http://www.freebsd.org/cgi/query-pr.cgi?pr=47313 
>Unformatted:
