Bugs found by fuzzing xiconf_parse()/xiconf_parse_section() with crafted
xinetd configuration content. A regression test exercising each case is
added in a follow-up commit (tests/probes/xinetd).

- A line with no trailing newline set the line length to the whole file
  length instead of the bytes remaining from the current offset, so the
  fixed line buffer was overflowed by memcpy() (heap-buffer-overflow). Two
  sites: the top-level scanner and xiconf_parse_section().
- An unterminated service section ran its for(;;) reader past the end of
  the in-memory file; bound the loop to inoff < inlen and guard the
  section entry against inoff already being at/after the end.
- *strchr(buffer, ' ') = '\0' dereferenced NULL when the copied line
  contained an embedded NUL (arbitrary file content), at two sites
  (keyword and service name). Check the result before writing.
- For a keyword with no value, op was set past the keyword's NUL
  terminator, reading out of bounds; only step past it when a value
  follows.
- A (name, protocol) translation key was built with strcpy()/strcat()
  into a fixed buffer with no NULL or length check; a NULL protocol
  dereferenced and an over-long name+protocol overflowed it. Guard both,
  matching the checks already in xiconf_getservice().
- xiconf_service_free() recursed over the ->next chain; a long crafted
  chain overflowed the stack. Free iteratively.
- On an unrecognized type value, scur->type (strdup'd, later free'd) was
  reassigned to a string literal -> invalid free, and the old value
  leaked. Free the old value and strdup("").
- op_assign_str() leaked the previous value when an attribute was
  repeated within a section; free before reassigning.

We are aware of the in-progress hardening in OpenSCAP#2349, which touches this
file; its scope (include-path handling) is narrower and does not cover
the bugs above. Two findings overlap and are reconciled here.

Bugs found by fuzzing xiconf_parse()/xiconf_parse_section() with crafted
xinetd configuration content. A regression test exercising each case is
added in a follow-up commit (tests/probes/xinetd).

- A line with no trailing newline set the line length to the whole file
  length instead of the bytes remaining from the current offset, so the
  fixed line buffer was overflowed by memcpy() (heap-buffer-overflow). Two
  sites: the top-level scanner and xiconf_parse_section().
- An unterminated service section ran its for(;;) reader past the end of
  the in-memory file; bound the loop to inoff < inlen and guard the
  section entry against inoff already being at/after the end.
- *strchr(buffer, ' ') = '\0' dereferenced NULL when the copied line
  contained an embedded NUL (arbitrary file content), at two sites
  (keyword and service name). Check the result before writing.
- For a keyword with no value, op was set past the keyword's NUL
  terminator, reading out of bounds; only step past it when a value
  follows.
- A (name, protocol) translation key was built with strcpy()/strcat()
  into a fixed buffer with no NULL or length check; a NULL protocol
  dereferenced and an over-long name+protocol overflowed it. Guard both,
  matching the checks already in xiconf_getservice().
- xiconf_service_free() recursed over the ->next chain; a long crafted
  chain overflowed the stack. Free iteratively.
- On an unrecognized type value, scur->type (strdup'd, later free'd) was
  reassigned to a string literal -> invalid free, and the old value
  leaked. Free the old value and strdup("").
- op_assign_str() leaked the previous value when an attribute was
  repeated within a section; free before reassigning.

We are aware of the in-progress hardening in OpenSCAP#2349, which touches this
file; its scope (include-path handling) is narrower and does not cover
the bugs above. Two findings overlap and are reconciled here.