[xinetd] Remove realloc inside svc_activate that was causing memory corruption Number of alloc'd file descrip

jsynacek jsynacek at fedoraproject.org
Wed Jan 18 13:42:43 UTC 2012 

commit 84f1870618322de0cafd9fbb7a12c9b86df729e8
Author: Jan Synacek <jsynacek at redhat.com>
Date:   Wed Jan 18 14:41:53 2012 +0100

    Remove realloc inside svc_activate that was causing memory corruption
    Number of alloc'd file descriptors is now determined by system limits (ulimit -n)
    Add patch -realloc-remove

 xinetd-2.3.14-realloc-remove.patch |  134 ++++++++++++++++++++++++++++++++++++
 xinetd.spec                        |   10 +++-
 2 files changed, 143 insertions(+), 1 deletions(-)
---
diff --git a/xinetd-2.3.14-realloc-remove.patch b/xinetd-2.3.14-realloc-remove.patch
new file mode 100644
index 0000000..6fd1902
--- /dev/null
+++ b/xinetd-2.3.14-realloc-remove.patch
@@ -0,0 +1,134 @@
+diff -rup xinetd-2.3.14/xinetd/defs.h xinetd-2.3.14-mod/xinetd/defs.h
+--- xinetd-2.3.14/xinetd/defs.h	2012-01-18 14:22:20.811100158 +0100
++++ xinetd-2.3.14-mod/xinetd/defs.h	2012-01-18 13:32:46.000000000 +0100
+@@ -114,11 +114,7 @@ union xsockaddr {
+  * constants for limiting ps.rws.fd_list 
+  */
+ 
+-#ifdef HAVE_POLL
+-#define INIT_POLLFDS                 4096
+-/* FIXME: not used */
+-#define MAX_POLLFDS                  16384
+-#endif
++#define MAX_FDS                      4096
+ 
+ /*
+  * When explicit values are given for enum's, that is because the structures 
+diff -rup xinetd-2.3.14/xinetd/init.c xinetd-2.3.14-mod/xinetd/init.c
+--- xinetd-2.3.14/xinetd/init.c	2012-01-18 14:22:20.779100171 +0100
++++ xinetd-2.3.14-mod/xinetd/init.c	2012-01-18 14:07:34.000000000 +0100
+@@ -151,7 +151,7 @@ static void set_fd_limit(void)
+    }
+ 
+    if ( rl.rlim_max == RLIM_INFINITY ) 
+-      rl.rlim_max = FD_SETSIZE;
++      rl.rlim_max = MAX_FDS;
+ 
+    ps.ros.max_descriptors = rl.rlim_max ;
+ #else      /* ! RLIMIT_NOFILE */
+@@ -283,12 +283,12 @@ static void init_rw_state( void )
+    ps.rws.descriptors_free = ps.ros.max_descriptors - DESCRIPTORS_RESERVED ;
+ 
+ #ifdef HAVE_POLL
+-   ps.rws.pfds_allocated = INIT_POLLFDS ;
++   ps.rws.pfds_allocated = ps.ros.max_descriptors ;
+    ps.rws.pfd_array = (struct pollfd *) 
+                       malloc( sizeof( struct pollfd ) * ps.rws.pfds_allocated ) ;
+    if ( ps.rws.pfd_array == NULL ) 
+    {
+-      out_of_memory(func);
++      out_of_memory(func) ;
+       exit( 1 ) ;
+    }
+    ps.rws.pfds_last = 0 ;
+diff -rup xinetd-2.3.14/xinetd/redirect.c xinetd-2.3.14-mod/xinetd/redirect.c
+--- xinetd-2.3.14/xinetd/redirect.c	2012-01-18 14:22:20.780100170 +0100
++++ xinetd-2.3.14-mod/xinetd/redirect.c	2012-01-18 12:22:08.000000000 +0100
+@@ -149,7 +149,7 @@ void redir_handler( struct server *serp
+ #ifdef HAVE_POLL
+ #define REDIR_DESCRIP_INDEX 0
+ #define REDIR_SERVER_INDEX 1
+-      pfd_array = (struct pollfd *)calloc(sizeof(struct pollfd),INIT_POLLFDS);
++      pfd_array = (struct pollfd *)calloc(sizeof(struct pollfd),MAX_FDS);
+       if (pfd_array == NULL)
+       {
+          msg( LOG_ERR, func, "Cannot allocate memory for file descriptors!\n");
+diff -rup xinetd-2.3.14/xinetd/service.c xinetd-2.3.14-mod/xinetd/service.c
+--- xinetd-2.3.14/xinetd/service.c	2012-01-18 14:22:20.812100157 +0100
++++ xinetd-2.3.14-mod/xinetd/service.c	2012-01-18 14:07:27.000000000 +0100
+@@ -114,10 +114,6 @@ struct service *svc_make_special( struct
+ 
+ void svc_free( struct service *sp )
+ {
+-#ifdef HAVE_POLL
+-   *SVC_POLLFD( sp ) = ps.rws.pfd_array[--ps.rws.pfds_last] ;
+-#endif /* HAVE_POLL */
+-
+    sc_free( SVC_CONF(sp) ) ;
+    CLEAR( *sp ) ;
+    FREE_SVC( sp ) ;
+@@ -332,20 +328,10 @@ status_e svc_activate( struct service *s
+    }
+ 
+ #ifdef HAVE_POLL
+-   if ( ps.rws.pfds_last >= ps.rws.pfds_allocated )
++   if ( ps.rws.descriptors_free <= 0 )
+    {
+-     int pos;
+-     ps.rws.pfds_allocated += INIT_POLLFDS;
+-     struct pollfd *tmp = (struct pollfd *)realloc( ps.rws.pfd_array,
+-       ps.rws.pfds_allocated*sizeof(struct pollfd));
+-     if ( tmp == NULL )
+-     {
+-       out_of_memory( func );
+-       return( FAILED );
+-     }
+-     ps.rws.pfd_array = tmp;
+-     memset(&ps.rws.pfd_array[ps.rws.pfds_last], 0, (ps.rws.pfds_allocated-
+-       ps.rws.pfds_last)*sizeof(struct pollfd));
++     msg(LOG_ERR, func, "Maximum number of services reached") ;
++     return( FAILED ) ;
+    }
+    if ( sp->svc_pfd_index >= 0 )
+    {
+diff -rup xinetd-2.3.14/xinetd/tcpint.c xinetd-2.3.14-mod/xinetd/tcpint.c
+--- xinetd-2.3.14/xinetd/tcpint.c	2012-01-18 14:22:20.782100169 +0100
++++ xinetd-2.3.14-mod/xinetd/tcpint.c	2012-01-18 13:30:22.000000000 +0100
+@@ -93,7 +93,7 @@ static void si_mux(void)
+ #ifdef HAVE_POLL
+    struct pollfd        *pfd_array;
+    int                   pfds_last = 0;
+-   int                   pfds_allocated = INIT_POLLFDS;
++   int                   pfds_allocated = MAX_FDS;
+ #else
+    fd_set                     socket_mask ;
+    int                        mask_max ;
+@@ -102,7 +102,7 @@ static void si_mux(void)
+    const char                *func = "si_mux" ;
+ 
+ #ifdef HAVE_POLL
+-   pfd_array = calloc(sizeof(struct pollfd),INIT_POLLFDS);
++   pfd_array = calloc(sizeof(struct pollfd),MAX_FDS);
+    pfd_array[ pfds_last ].fd = INT_REMOTE( ip ) ;
+    pfd_array[ pfds_last++ ].events = POLLIN | POLLOUT;
+ #else
+diff -rup xinetd-2.3.14/xinetd/udpint.c xinetd-2.3.14-mod/xinetd/udpint.c
+--- xinetd-2.3.14/xinetd/udpint.c	2012-01-18 14:22:20.783100169 +0100
++++ xinetd-2.3.14-mod/xinetd/udpint.c	2012-01-18 12:22:00.000000000 +0100
+@@ -103,14 +103,14 @@ static void di_mux(void)
+ #ifdef HAVE_POLL
+    struct pollfd        *pfd_array;
+    int                   pfds_last = 0;
+-   int                   pfds_allocated = INIT_POLLFDS;
++   int                   pfds_allocated = MAX_FDS;
+ #else
+    fd_set                     socket_mask ;
+    int                        mask_max ;
+ #endif
+ 
+ #ifdef HAVE_POLL
+-   pfd_array = (struct pollfd *)calloc(sizeof(struct pollfd),INIT_POLLFDS);
++   pfd_array = (struct pollfd *)calloc(sizeof(struct pollfd),MAX_FDS);
+    pfd_array[ pfds_last ].fd = INT_REMOTE( ip );
+    pfd_array[ pfds_last++ ].events = POLLIN | POLLOUT;
+ #else
diff --git a/xinetd.spec b/xinetd.spec
index b9e4121..e19bc9b 100644
--- a/xinetd.spec
+++ b/xinetd.spec
@@ -1,7 +1,7 @@
 Summary: A secure replacement for inetd
 Name: xinetd
 Version: 2.3.14
-Release: 40%{?dist}
+Release: 41%{?dist}
 License: xinetd 
 Group: System Environment/Daemons
 Epoch: 2
@@ -49,6 +49,8 @@ Patch21: xinetd-2.3.14-leaking-fds.patch
 # Fix memory corruption when loading a large number of services
 # This fixes #720390
 Patch22: xinetd-2.3.14-many-services.patch
+# Remove realloc of fds that was causing memory corruption
+Patch23: xinetd-2.3.14-realloc-remove.patch
 
 BuildRequires: autoconf, automake
 BuildRequires: libselinux-devel >= 1.30
@@ -103,6 +105,7 @@ located in the /etc/xinetd.d directory.
 %patch20 -p1 -b .fix-type-punned-ptr
 %patch21 -p1 -b .leaking-fds
 %patch22 -p1 -b .many-services
+%patch23 -p1 -b .realloc-remove
 
 aclocal
 autoconf
@@ -172,6 +175,11 @@ fi
 %{_mandir}/*/*
 
 %changelog
+* Wed Jan 18 2012 Jan Synáček <jsynacek at redhat.com> - 2:2.3.14-41
+- Remove realloc inside svc_activate that was causing memory corruption
+- Number of alloc'd file descriptors is now determined by system limits (ulimit -n)
+- Add patch -realloc-remove
+
 * Tue Jan 17 2012 Jan Synáček <jsynacek at redhat.com> - 2:2.3.14-40
 - Fix memory corruption when loading a large number of services
 - Resolves #720390

More information about the scm-commits mailing list