tech-userlevel archive

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index][Old Index]

inetd(8) bugs

You will find attached an example of a configuration exercizing bugs in
the current implementation of inetd(8).

Emphasize: this is the current inetd(8) not my implementation.

How it works:

There is the possibility to set a default host address by specifying an
address with a trailing ':' and nothing after.

The problem is that the current implementation allows continuation lines
(for legacy or v2 syntax) and swallows any continuation line without
verifying if a statement (my definition; it is not define in the current
man page) has begun.

If there are after empty lines (optional) and an unfortunate leading
blank in the next non empty or blank line, the defhost statement
is concatenated with the remaining and hence not considered as a
defhost statement: the address is applied to the first other line
(here the line starting by a blank and 5432), but the default
remains '*' (any) and if one invokes, not as root:

$ inetd -d bug.conf

the next entry: 5433 is rejected because it can't be applied (if not
root) to any. (If you suppress the leading blank before 5432, the
defhost is set and 5433, applied to, succeeds).

Other problems:

- A line starting by a blank is a continuation line; so a statement
must start at the beginning of the line; but the parsing accepts 
leading blanks for the beginning of the statement; this comes from
the problem of having introduced ';' as a statement terminator in v2
syntax (while this was superfluous) and allowing blanks around it---this
is why in the syntax I have re-specified, the end of a statement is
a new line or, for a non-empty
statement (and only a non-empty statement): '[[:blank:]]*;[[:blank:]]*',
the only way to be able to define an empty statement AND to allow
continuation lines for non-empty statements i.e. statements that have

- It is not said in the manual page, but handling of quotes is done for
anything, legacy syntax included;

- Quoting is said to be '/* Parse shell-style quotes */' while there
is no difference made between single quotes quoting and double quotes
quoting (contrary to shell quoting);

- Escape sequences work only in v2 and only between quotes: not outside.
This renders them almost useless---because quoting allows to tokenize
and incidentally "escape" special characters inside quotes;

- The way the parsing is done, the "#@ [<ipsec>]" and "ipsec =" can only
take one argument.

There is one thing "curious" when testing (not as root) the bug.conf
attached. Here is the result:

$ inetd -d /tmp/bug.conf

/tmp/bug.conf line 5: Found service definition '5432'
ADD : proto=udp, wait.max=1.5, user:group=root:(null) builtin=0 server=test_server policy="in discard" 
/tmp/bug.conf line 15: Found service definition '5433'
/tmp/bug.conf line 21: Ignoring invalid definition.
1 service(s) loaded.
Going away.

After "Going away\n" there is a spurious:

This comes from the ipsec and is sent to stdout (other messages from
inetd(8) are sent to stderr).

I have not searched to identify where it comes exactly from (but this is
ipsec related since, if one suppresses the default ipsec directive in
the bug.conf, no quadruple double quotes are printed).
        Thierry Laronde <tlaronde +AT+ polynum +dot+ com>
Key fingerprint = 0FF7 E906 FBAF FE95 FD89  250D 52B1 AE95 6006 F40C
#@ "in discard" 
# Invalidate wrong deprecated defhost directive.
 5432 on
	protocol = udp,
	wait = yes,
	user = root,
	service_max = 5,
	ip_max = 3,
	exec = test_server,
	args = test_server dgram wait '\x00some_arg';

#Test ip_max of 0
 5433 on
	protocol = udp,
	wait = yes,
	user = \x72oot,
	ip_max = 0,
	exec = test_server,
	args = test_server dgram wait;

Home | Main Index | Thread Index | Old Index