mirrors/linux-pam
0
0
Fork 0
mirror of https://github.com/linux-pam/linux-pam.git synced 2024-11-23 09:43:36 +08:00
Code Issues Packages Projects Releases Wiki Activity

pam_filter: fix potential fd leak on error path

Browse Source 
Resolves: https://github.com/linux-pam/linux-pam/issues/829
This commit is contained in:
Dmitry V. Levin 2024-09-11 08:00:00 +00:00
parent 63ba6e4aa1
commit 2d6f1998dd
1 changed files with 8 additions and 4 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

12
modules/pam_filter/pam_filter.c
View File

@ -322,18 +322,21 @@ set_filter (pam_handle_t *pamh, int flags UNUSED, int ctrl,
if (setsid() == -1) {
pam_syslog(pamh, LOG_ERR,
"child cannot become new session: %m");
close(fd[0]);
return PAM_ABORT;
}
/* grant slave terminal */
if (grantpt (fd[0]) < 0) {
pam_syslog(pamh, LOG_ERR, "Cannot grant access to slave terminal");
close(fd[0]);
return PAM_ABORT;
}
/* unlock slave terminal */
if (unlockpt (fd[0]) < 0) {
pam_syslog(pamh, LOG_ERR, "Cannot unlock slave terminal");
close(fd[0]);
return PAM_ABORT;
}
@ -343,6 +346,7 @@ set_filter (pam_handle_t *pamh, int flags UNUSED, int ctrl,
if (terminal == NULL) {
pam_syslog(pamh, LOG_ERR,
"Cannot get the name of the slave terminal: %m");
close(fd[0]);
return PAM_ABORT;
}
@ -381,6 +385,10 @@ set_filter (pam_handle_t *pamh, int flags UNUSED, int ctrl,
return PAM_ABORT;
}
/* now the user input is read from the parent/filter: forget fd */
close(fd[1]);
/* make sure that file descriptors survive 'exec's */
if ( fcntl(STDIN_FILENO, F_SETFD, 0) ||
@ -391,10 +399,6 @@ set_filter (pam_handle_t *pamh, int flags UNUSED, int ctrl,
return PAM_ABORT;
}
/* now the user input is read from the parent/filter: forget fd */
close(fd[1]);
/* the current process is now apparently working with filtered
stdio/stdout/stderr --- success! */