#656921 net-tools: erroneous program name output from netstat -p

Package:
net-tools
Source:
net-tools
Description:
NET-3 networking toolkit
Submitter:
Anatole Shaw
Date:
2021-06-25 16:57:03 UTC
Severity:
minor
Tags:
#656921#5
Date:
2012-01-22 21:55:31 UTC
From:
To:
"netstat -p" sometimes produces erroneous "Program name" output because
it looks at /proc/*/cmdline (which can be manipulated by setproctitle)
and assumes that information is structured as a pathname.

For example, this process (output from "ps auxw"):

    joe 5987 0.0 0.3 68380 1908 ? S 20:57 0:00 sshd: joe@pts/9

was associated with this incorrect output from "netstat -anp":

    tcp 0 0 10.0.0.10:34199 10.0.0.10:443 ESTABLISHED 5987/9

The text "5987/9" appeared in the "PID/Program name" column because
netstat parsed "9" as the final path element of the command.

The attached patch causes netstat to determine the program name by
dereferencing the /proc/*/exe symlink instead, producing the following
(correct) output regarding the same process:

    tcp 0 0 10.0.0.10:34199 10.0.0.10:443 ESTABLISHED 5987/sshd

Patch (also submitted upstream):
--- netstat.c	2001-04-15 14:41:17.000000000 +0000
+++ netstat.c	2012-01-22 20:24:19.000000000 +0000
@@ -246,6 +246,8 @@
 #define PATH_PROC_X_FD      PATH_PROC "/%s/" PATH_FD_SUFF
 #define PATH_CMDLINE	"cmdline"
 #define PATH_CMDLINEl       strlen(PATH_CMDLINE)
+#define PATH_EXE	"exe"
+#define PATH_EXEl	    strlen(PATH_EXE)
 /* NOT working as of glibc-2.0.7: */
 #undef  DIRENT_HAVE_D_TYPE_WORKS

@@ -393,16 +395,11 @@
             if (inode < 0) continue;

 	    if (!cmdlp) {
-		if (procfdlen - PATH_FD_SUFFl + PATH_CMDLINEl >=
+		if (procfdlen - PATH_FD_SUFFl + PATH_EXEl >=
 		    sizeof(line) - 5)
 		    continue;
-		strcpy(line + procfdlen-PATH_FD_SUFFl, PATH_CMDLINE);
-		fd = open(line, O_RDONLY);
-		if (fd < 0)
-		    continue;
-		cmdllen = read(fd, cmdlbuf, sizeof(cmdlbuf) - 1);
-		if (close(fd))
-		    continue;
+		strcpy(line + procfdlen-PATH_FD_SUFFl, PATH_EXE);
+		cmdllen = readlink(line, cmdlbuf, sizeof(cmdlbuf)-1);
 		if (cmdllen == -1)
 		    continue;
 		if (cmdllen < sizeof(cmdlbuf) - 1)

#656921#10
Date:
2014-05-11 19:30:33 UTC
From:
To:
severity 656921 minor
thanks

Hi Anatole,

Sorry for the very late response.

First of all, I am adjusting the severity of the bug. This is not an
important bug, you still get the right PID, and showing the name of the
command is always problematic (think ps), so I think this is minor severity.

I looked at your patch for netstat, and I find one problem with it: for
scripts, it will report the name of the interpreter instead of the
script name, which would be considered a bug by people which expect the
script name instead.

Also, your patch does not match your description of the problem, which
is interpreting the '/' as a path separator.

Finally, the -p output of netstat has been pretty broken since forever,
and the code is not pretty. I would just recommend to use 'ss -p' which
has a much better output.

I am actually tempted to close this bug, but I'd accept a patch that
solves this in some reasonable way without creating other problems.

Thanks.

#656921#17
Date:
2021-06-25 16:55:24 UTC
From:
To:
I think it is better to use '/proc/<pid>/comm' instead; it shows
correct script name instead of interpreter name, and didn't have the
issues of 'cmdline'.