OpenSCAP · edznux-dd · Jun 19, 2026
diff --git a/src/OVAL/probes/unix/xinetd_probe.c b/src/OVAL/probes/unix/xinetd_probe.c
@@ -48,6 +48,7 @@ int main (int argc, char *argv[])
 
 	if (xres == NULL) {
 		fprintf(stderr, "Not found.\n");
+		xiconf_free(xcfg);
 		return (3);
 	} else {
 		register unsigned int l;
@@ -89,5 +90,6 @@ int main (int argc, char *argv[])
 		}
 	}
 
+	xiconf_free(xcfg);
 	return (0);
 }
@@ -80,6 +80,37 @@ function test_probe_xinetd_duplicates {
     return 1
 }
 
+# Regression test for memory-safety bugs in xiconf_parse()/xiconf_parse_section().
+# Each of these inputs used to crash the parser (heap-buffer-overflow, NULL-pointer
+# dereference, invalid free, ...) before the guards were added. The parser must now
+# handle them without crashing; the service/protocol arguments are arbitrary, we only
+# care that the process is neither killed by a signal nor trips a sanitizer.
+function test_probe_xinetd_regression_malformed {
+    local ret_val=0
+    local f errf rc
+    for f in xinetd_crash_keyword_no_value.conf \
+	     xinetd_crash_section_no_eol.conf \
+	     xinetd_crash_service_name_no_space.conf \
+	     xinetd_crash_service_null_protocol.conf \
+	     xinetd_crash_type_not_enum.conf ; do
+	errf=$(mktemp)
+	./test_probe_xinetd "${srcdir}/${f}" foo tcp > /dev/null 2>"$errf"
+	rc=$?
+	# Ignore the pre-existing, harmless UBSan report about calling a typed
+	# rbtree callback through a generic function pointer; flag a termination
+	# by signal (exit >= 128) or any other sanitizer/runtime error.
+	if [[ "$rc" -ge 128 ]] || \
+	   grep -v "through pointer to incorrect function type" "$errf" \
+		| grep -q "ERROR: AddressSanitizer:\|AddressSanitizer:DEADLYSIGNAL\|LeakSanitizer:\|runtime error:" ; then
+	    echo "CRASH on malformed input ${f} (exit ${rc}):"
+	    cat "$errf"
+	    ret_val=$[$ret_val + 1]
+	fi
+	rm -f "$errf"
+    done
+    return $ret_val
+}
+
 # Testing.
 
 test_init
@@ -88,6 +119,7 @@ if [ -z ${CUSTOM_OSCAP+x} ] ; then
     test_run "test_probe_xinetd_parser" test_probe_xinetd_parser
     test_run "xinetd parser regression test: string list" test_probe_xinetd_regression_stringlist
     test_run "test_probe_xinetd_duplicates" test_probe_xinetd_duplicates
+    test_run "xinetd parser regression test: malformed input" test_probe_xinetd_regression_malformed
 fi
 
 test_exit
@@ -0,0 +1,11 @@
+defau  = 60
+    log_type       = SYSLOG authpriv}
+service fuzz
+{
+  ÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿ  socket_type   wiat        = no
+    user       = no
+    user        = root
+    server      = /usr/sbble = /usr/sbin/in.fuzzd
+    disable     = no
+}
+incudledir /etc/xinetd.d
@@ -0,0 +1,24 @@
+defaults
+{
+    innsstceSLOG authpriv
+}
+service fu~…
+{
+    socket_!(= SYSLOG authpriv
+}
+service fqzz
+{
+    socket_thpriv
+}
+service fu~…
+{
+    iv
+}
+service fqzz
+{
+    socket_SYSLOG authpriv
+}
+service fqzz
+{
+    type =t e ear
+sm  ! protocouzetd.d