diff -ur tcp_wrappers_7.6.orig/hosts_access.c tcp_wrappers_7.6/hosts_access.c

--- tcp_wrappers_7.6.orig/hosts_access.c	Wed Feb 12 04:13:23 1997

+++ tcp_wrappers_7.6/hosts_access.c	Thu Dec 19 21:54:16 2002

@@ -57,6 +57,7 @@

 #define	YES		1

 #define	NO		0

+#define	ERROR		-1

  /*

   * These variables are globally visible so that they can be redirected in

@@ -92,7 +93,7 @@

 int     hosts_access(request)

 struct request_info *request;

 {

-    int     verdict;

+    int verdict, m1=NO, m2=NO;

     /*

      * If the (daemon, client) pair is matched by an entry in the file

@@ -108,17 +109,23 @@

      * hosts_access() routine, bypassing the regular return from the

      * table_match() function calls below.

      */

-

+    if (request->server == NULL)

+        tcpd_warn("Server is NULL");

+    if (request->client == NULL)

+        tcpd_warn("Client is NULL");

     if (resident <= 0)

 	resident++;

     verdict = setjmp(tcpd_buf);

     if (verdict != 0)

 	return (verdict == AC_PERMIT);

-    if (table_match(hosts_allow_table, request))

-	return (YES);

-    if (table_match(hosts_deny_table, request))

-	return (NO);

-    return (YES);

+    if ((m1 = table_match(hosts_allow_table, request)) == YES)

+	return YES;

+    if ((m2 = table_match(hosts_deny_table, request)) == YES)

+	return NO;

+    if ((m1 == ERROR) || (m2 == ERROR))

+	return NO;

+    else

+    	return YES;

 }

 /* table_match - match table entries with (daemon, client) pair */

@@ -145,6 +152,7 @@

 	tcpd_context.file = table;

 	tcpd_context.line = 0;

 	while (match == NO && xgets(sv_list, sizeof(sv_list), fp) != 0) {

+	    int m1, m2;

 	    if (sv_list[strlen(sv_list) - 1] != '\n') {

 		tcpd_warn("missing newline or line too long");

 		continue;

@@ -156,17 +164,27 @@

 		continue;

 	    }

 	    sh_cmd = split_at(cl_list, ':');

-	    match = list_match(sv_list, request, server_match)

-		&& list_match(cl_list, request, client_match);

+	    m1 = list_match(sv_list, request, server_match);

+	    m2 = list_match(cl_list, request, client_match);

+	    if ((m1 == ERROR) || (m2 == ERROR))

+	        match = ERROR;

+	    else

+		match = m1 && m2;

 	}

 	(void) fclose(fp);

     } else if (errno != ENOENT) {

 	tcpd_warn("cannot open %s: %m", table);

+	match = ERROR;

     }

-    if (match) {

+    if (match == YES) {

+#if 0

+	if (hosts_access_verbose > 2)

+	    tcpd_warn("matched: %s line %d",

+		tcpd_context.file, tcpd_context.line);

+#endif

 	if (hosts_access_verbose > 1)

-	    syslog(LOG_DEBUG, "matched:  %s line %d",

-		   tcpd_context.file, tcpd_context.line);

+	    syslog(LOG_DEBUG, "matched: %s line %d",

+		tcpd_context.file, tcpd_context.line);

 	if (sh_cmd) {

 #ifdef PROCESS_OPTIONS

 	    process_options(sh_cmd, request);

@@ -198,14 +216,25 @@

     for (tok = strtok(list, sep); tok != 0; tok = strtok((char *) 0, sep)) {

 	if (STR_EQ(tok, "EXCEPT"))		/* EXCEPT: give up */

-	    return (NO);

-	if (match_fn(tok, request)) {		/* YES: look for exceptions */

+	    return NO;

+	if (match_fn(tok, request) == YES) {	/* YES: look for exceptions */

 	    while ((tok = strtok((char *) 0, sep)) && STR_NE(tok, "EXCEPT"))

 		 /* VOID */ ;

-	    return (tok == 0 || list_match((char *) 0, request, match_fn) == 0);

+	    if (tok == 0)

+		    return YES;

+	    else

+	    {

+	        int m1 = list_match((char *) 0, request, match_fn);

+		if (m1 == NO)

+			return YES;

+		else if (m1 == ERROR)

+			return ERROR;

+		else

+			return NO;

+	    }

 	}

     }

-    return (NO);

+    return NO;

 }

 /* server_match - match server information */

@@ -217,10 +246,17 @@

     char   *host;

     if ((host = split_at(tok + 1, '@')) == 0) {	/* plain daemon */

-	return (string_match(tok, eval_daemon(request)));

+	return string_match(tok, eval_daemon(request));

     } else {					/* daemon@host */

-	return (string_match(tok, eval_daemon(request))

-		&& host_match(host, request->server));

+	int m1, m2;

+

+	m1 = host_match(host, request->server);

+	m2 = string_match(tok, eval_daemon(request));

+

+	if ( m1 == ERROR )

+	   return m1;

+	

+	return ( m1 && m2 );

     }

 }

@@ -232,11 +268,20 @@

 {

     char   *host;

+    if (request->client == NULL)

+	tcpd_warn("client is NULL");

     if ((host = split_at(tok + 1, '@')) == 0) {	/* plain host */

-	return (host_match(tok, request->client));

+	return host_match(tok, request->client);

     } else {					/* user@host */

-	return (host_match(host, request->client)

-		&& string_match(tok, eval_user(request)));

+	int m1, m2;

+

+	m1 = host_match(host, request->client);

+       m2 = string_match(tok, eval_user(request));

+

+	if (m1 == ERROR)

+	    return m1;

+	

+	return ( m1 && m2 );

     }

 }

@@ -265,7 +310,7 @@

 	return (innetgr(tok + 1, eval_hostname(host), (char *) 0, mydomain));

 #else

 	tcpd_warn("netgroup support is disabled");	/* not tcpd_jump() */

-	return (NO);

+	return ERROR;

 #endif

     } else if (STR_EQ(tok, "KNOWN")) {		/* check address and name */

 	char   *name = eval_hostname(host);