In channel_close_fd(), the file descriptors for the socket, stdin,
stdout and stderr aren't necessarily distinct, so closing them results
in EBADF. In addition, the diff adds a couple of positivity checks to
avoid calling close(-1).

Index: usr.bin/ssh/channels.c
===================================================================
RCS file: /var/cvs/src/usr.bin/ssh/channels.c,v
retrieving revision 1.378
diff -u -p -r1.378 channels.c
--- usr.bin/ssh/channels.c      23 Jan 2018 05:27:21 -0000      1.378
+++ usr.bin/ssh/channels.c      24 Jan 2018 00:41:18 -0000
@@ -426,10 +426,15 @@ channel_close_fd(struct ssh *ssh, int *f
 static void
 channel_close_fds(struct ssh *ssh, Channel *c)
 {
+       int sock = c->sock, rfd = c->rfd, wfd = c->wfd, efd = c->efd;
+
        channel_close_fd(ssh, &c->sock);
-       channel_close_fd(ssh, &c->rfd);
-       channel_close_fd(ssh, &c->wfd);
-       channel_close_fd(ssh, &c->efd);
+       if (rfd != sock)
+               channel_close_fd(ssh, &c->rfd);
+       if (wfd != sock && wfd != rfd)
+               channel_close_fd(ssh, &c->wfd);
+       if (efd != sock && efd != rfd && efd != wfd)
+               channel_close_fd(ssh, &c->efd);
 }
 
 static void
Index: usr.bin/ssh/monitor.c
===================================================================
RCS file: /var/cvs/src/usr.bin/ssh/monitor.c,v
retrieving revision 1.178
diff -u -p -r1.178 monitor.c
--- usr.bin/ssh/monitor.c       23 Jan 2018 05:27:21 -0000      1.178
+++ usr.bin/ssh/monitor.c       24 Jan 2018 00:41:18 -0000
@@ -230,8 +230,10 @@ monitor_child_preauth(Authctxt *_authctx
 
        debug3("preauth child monitor started");
 
-       close(pmonitor->m_recvfd);
-       close(pmonitor->m_log_sendfd);
+       if (pmonitor->m_recvfd >= 0)
+               close(pmonitor->m_recvfd);
+       if (pmonitor->m_log_sendfd >= 0)
+               close(pmonitor->m_log_sendfd);
        pmonitor->m_log_sendfd = pmonitor->m_recvfd = -1;
 
        authctxt = _authctxt;
@@ -298,8 +300,10 @@ monitor_child_preauth(Authctxt *_authctx
        while (pmonitor->m_log_recvfd != -1 && monitor_read_log(pmonitor) == 0)
                ;
 
-       close(pmonitor->m_sendfd);
-       close(pmonitor->m_log_recvfd);
+       if (pmonitor->m_recvfd >= 0)
+               close(pmonitor->m_recvfd);
+       if (pmonitor->m_log_sendfd >= 0)
+               close(pmonitor->m_log_sendfd);
        pmonitor->m_sendfd = pmonitor->m_log_recvfd = -1;
 }
 
Index: usr.bin/ssh/ssh-pkcs11-client.c
===================================================================
RCS file: /var/cvs/src/usr.bin/ssh/ssh-pkcs11-client.c,v
retrieving revision 1.7
diff -u -p -r1.7 ssh-pkcs11-client.c
--- usr.bin/ssh/ssh-pkcs11-client.c     30 May 2017 08:52:19 -0000      1.7
+++ usr.bin/ssh/ssh-pkcs11-client.c     23 Jan 2018 00:09:22 -0000
@@ -93,7 +93,8 @@ pkcs11_init(int interactive)
 void
 pkcs11_terminate(void)
 {
-       close(fd);
+       if (fd >= 0)
+               close(fd);
 }
 
 static int

Reply via email to