From b4c090d2e12956a2df6157592839936adf4024f4 Mon Sep 17 00:00:00 2001

From: Rob Crittenden <rcritten@redhat.com>

Date: Thu, 12 Aug 2021 16:26:09 -0400

Subject: [PATCH] Fix file descriptor leak when executing CA helpers

cm_cadata_start_generic() creates a pipe. One half is passed

to fetch(), the function that does all helper calls,

via the cm_cadata_state variable ret. The other half is the

reader and is used to detect execution errors. There is a pair

of write/read on this descriptor which on error would be the

errno.

This second half wasn't being closed after reading to test for

errors.

https://bugzilla.redhat.com/show_bug.cgi?id=1992439

Signed-off-by: Rob Crittenden <rcritten@redhat.com>

---

 src/cadata.c | 1 +

 1 file changed, 1 insertion(+)

diff --git a/src/cadata.c b/src/cadata.c

index cb9c13e2..c2764d3b 100644

--- a/src/cadata.c

+++ b/src/cadata.c

@@ -773,6 +773,7 @@ cm_cadata_start_generic(struct cm_store_ca *ca, const char *op,

 		       ca->cm_ca_external_helper, strerror(u));

 		/* return the state so the process can be reaped */

 	}

+	close(error_fd[0]);

 	return ret;

 }

-- 

2.26.3