Just use O_CLOEXEC or SOCK_CLOEXEC on everything. There is no reason to
keep any kind of file descriptor over an exec call. At least this way
I'm sure that no fds will leak into the childs.
OK?
--
:wq Claudio
? obj
Index: carp.c
===================================================================
RCS file: /cvs/src/usr.sbin/bgpd/carp.c,v
retrieving revision 1.9
diff -u -p -r1.9 carp.c
--- carp.c 24 Jan 2017 04:22:42 -0000 1.9
+++ carp.c 8 Aug 2019 11:33:37 -0000
@@ -108,7 +108,7 @@ carp_demote_get(char *group)
int s;
struct ifgroupreq ifgr;
- if ((s = socket(AF_INET, SOCK_DGRAM, 0)) == -1) {
+ if ((s = socket(AF_INET, SOCK_DGRAM | SOCK_CLOEXEC, 0)) == -1) {
log_warn("carp_demote_get: socket");
return (-1);
}
@@ -162,7 +162,7 @@ carp_demote_ioctl(char *group, int demot
int s, res;
struct ifgroupreq ifgr;
- if ((s = socket(AF_INET, SOCK_DGRAM, 0)) == -1) {
+ if ((s = socket(AF_INET, SOCK_DGRAM | SOCK_CLOEXEC, 0)) == -1) {
log_warn("%s: socket", __func__);
return (-1);
}
Index: control.c
===================================================================
RCS file: /cvs/src/usr.sbin/bgpd/control.c,v
retrieving revision 1.97
diff -u -p -r1.97 control.c
--- control.c 27 May 2019 09:14:32 -0000 1.97
+++ control.c 8 Aug 2019 11:33:37 -0000
@@ -47,7 +47,7 @@ control_check(char *path)
sun.sun_family = AF_UNIX;
strlcpy(sun.sun_path, path, sizeof(sun.sun_path));
- if ((fd = socket(AF_UNIX, SOCK_STREAM, 0)) == -1) {
+ if ((fd = socket(AF_UNIX, SOCK_STREAM | SOCK_CLOEXEC, 0)) == -1) {
log_warn("%s: socket", __func__);
return (-1);
}
Index: kroute.c
===================================================================
RCS file: /cvs/src/usr.sbin/bgpd/kroute.c,v
retrieving revision 1.237
diff -u -p -r1.237 kroute.c
--- kroute.c 23 Jul 2019 06:26:44 -0000 1.237
+++ kroute.c 8 Aug 2019 11:33:37 -0000
@@ -2886,7 +2886,7 @@ get_mpe_config(const char *name, u_int *
*label = 0;
*rdomain = 0;
- s = socket(AF_INET, SOCK_DGRAM, 0);
+ s = socket(AF_INET, SOCK_DGRAM | SOCK_CLOEXEC, 0);
if (s == -1)
return (-1);
Index: mrt.c
===================================================================
RCS file: /cvs/src/usr.sbin/bgpd/mrt.c,v
retrieving revision 1.99
diff -u -p -r1.99 mrt.c
--- mrt.c 24 Jul 2019 08:58:24 -0000 1.99
+++ mrt.c 8 Aug 2019 11:33:38 -0000
@@ -908,7 +908,7 @@ mrt_open(struct mrt *mrt, time_t now)
}
fd = open(MRT2MC(mrt)->file,
- O_WRONLY|O_NONBLOCK|O_CREAT|O_TRUNC, 0644);
+ O_WRONLY|O_NONBLOCK|O_CREAT|O_TRUNC|O_CLOEXEC, 0644);
if (fd == -1) {
log_warn("mrt_open %s", MRT2MC(mrt)->file);
return (1);
Index: pftable.c
===================================================================
RCS file: /cvs/src/usr.sbin/bgpd/pftable.c,v
retrieving revision 1.13
diff -u -p -r1.13 pftable.c
--- pftable.c 28 Jun 2019 13:32:47 -0000 1.13
+++ pftable.c 8 Aug 2019 11:33:38 -0000
@@ -63,7 +63,7 @@ pftable_change(struct pf_table *pft)
if (pft->naddrs == 0 || pft->what == 0)
return (0);
- if (devpf == -1 && ((devpf = open("/dev/pf", O_RDWR)) == -1))
+ if (devpf == -1 && ((devpf = open("/dev/pf", O_RDWR|O_CLOEXEC)) == -1))
fatal("open(/dev/pf)");
bzero(&tio, sizeof(tio));
@@ -90,7 +90,7 @@ pftable_clear(const char *name)
{
struct pfioc_table tio;
- if (devpf == -1 && ((devpf = open("/dev/pf", O_RDWR)) == -1))
+ if (devpf == -1 && ((devpf = open("/dev/pf", O_RDWR|O_CLOEXEC)) == -1))
fatal("open(/dev/pf)");
bzero(&tio, sizeof(tio));
@@ -111,7 +111,7 @@ pftable_exists(const char *name)
struct pfioc_table tio;
struct pfr_astats dummy;
- if (devpf == -1 && ((devpf = open("/dev/pf", O_RDWR)) == -1))
+ if (devpf == -1 && ((devpf = open("/dev/pf", O_RDWR|O_CLOEXEC)) == -1))
fatal("open(/dev/pf)");
bzero(&tio, sizeof(tio));
