Blob Blame History Raw
From f9c774f737a060b355533c215d7443b9865992a0 Mon Sep 17 00:00:00 2001
From: Rob Crittenden <>
Date: Thu, 12 Aug 2021 16:26:09 -0400
Subject: [PATCH] Fix file descriptor leak when executing CA helpers

cm_cadata_start_generic() creates a pipe. One half is passed
to fetch(), the function that does all helper calls,
via the cm_cadata_state variable ret. The other half is the
reader and is used to detect execution errors. There is a pair
of write/read on this descriptor which on error would be the

This second half wasn't being closed after reading to test for

Signed-off-by: Rob Crittenden <>
 src/cadata.c | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/src/cadata.c b/src/cadata.c
index 3e916c9..d851b9e 100644
--- a/src/cadata.c
+++ b/src/cadata.c
@@ -772,8 +772,10 @@ cm_cadata_start_generic(struct cm_store_ca *ca, const char *op,
 		cm_log(1, "Error running enrollment helper \"%s\": %s.\n",
 		       ca->cm_ca_external_helper, strerror(u));
+		close(error_fd[0]);
 		return NULL;
+	close(error_fd[0]);
 	return ret;