diff --git a/dhcp-4.2.0-CLOEXEC.patch b/dhcp-4.2.0-CLOEXEC.patch new file mode 100644 index 0000000..3107eca --- /dev/null +++ b/dhcp-4.2.0-CLOEXEC.patch @@ -0,0 +1,400 @@ +--- client/clparse.c.orig ++++ client/clparse.c +@@ -210,7 +210,7 @@ int read_client_conf_file (const char *n + int token; + isc_result_t status; + +- if ((file = open (name, O_RDONLY)) < 0) ++ if ((file = open (name, O_RDONLY | O_CLOEXEC)) < 0) + return uerr2isc (errno); + + cfile = NULL; +@@ -247,7 +247,7 @@ void read_client_leases () + + /* Open the lease file. If we can't open it, just return - + we can safely trust the server to remember our state. */ +- if ((file = open (path_dhclient_db, O_RDONLY)) < 0) ++ if ((file = open (path_dhclient_db, O_RDONLY | O_CLOEXEC)) < 0) + return; + + cfile = NULL; +--- client/dhclient.c.orig ++++ client/dhclient.c +@@ -127,11 +127,11 @@ main(int argc, char **argv) { + /* Make sure that file descriptors 0 (stdin), 1, (stdout), and + 2 (stderr) are open. To do this, we assume that when we + open a file the lowest available file descriptor is used. */ +- fd = open("/dev/null", O_RDWR); ++ fd = open("/dev/null", O_RDWR | O_CLOEXEC); + if (fd == 0) +- fd = open("/dev/null", O_RDWR); ++ fd = open("/dev/null", O_RDWR | O_CLOEXEC); + if (fd == 1) +- fd = open("/dev/null", O_RDWR); ++ fd = open("/dev/null", O_RDWR | O_CLOEXEC); + if (fd == 2) + log_perror = 0; /* No sense logging to /dev/null. */ + else if (fd != -1) +@@ -406,7 +406,7 @@ main(int argc, char **argv) { + int e; + + oldpid = 0; +- if ((pidfd = fopen(path_dhclient_pid, "r")) != NULL) { ++ if ((pidfd = fopen(path_dhclient_pid, "re")) != NULL) { + e = fscanf(pidfd, "%ld\n", &temp); + oldpid = (pid_t)temp; + +@@ -2627,7 +2627,7 @@ void rewrite_client_leases () + + if (leaseFile != NULL) + fclose (leaseFile); +- leaseFile = fopen (path_dhclient_db, "w"); ++ leaseFile = fopen (path_dhclient_db, "we"); + if (leaseFile == NULL) { + log_error ("can't create %s: %m", path_dhclient_db); + return; +@@ -2731,7 +2731,7 @@ write_duid(struct data_string *duid) + return DHCP_R_INVALIDARG; + + if (leaseFile == NULL) { /* XXX? */ +- leaseFile = fopen(path_dhclient_db, "w"); ++ leaseFile = fopen(path_dhclient_db, "we"); + if (leaseFile == NULL) { + log_error("can't create %s: %m", path_dhclient_db); + return ISC_R_IOERROR; +@@ -2779,7 +2779,7 @@ write_client6_lease(struct client_state + return DHCP_R_INVALIDARG; + + if (leaseFile == NULL) { /* XXX? */ +- leaseFile = fopen(path_dhclient_db, "w"); ++ leaseFile = fopen(path_dhclient_db, "we"); + if (leaseFile == NULL) { + log_error("can't create %s: %m", path_dhclient_db); + return ISC_R_IOERROR; +@@ -2911,7 +2911,7 @@ int write_client_lease (client, lease, r + return 1; + + if (leaseFile == NULL) { /* XXX */ +- leaseFile = fopen (path_dhclient_db, "w"); ++ leaseFile = fopen (path_dhclient_db, "we"); + if (leaseFile == NULL) { + log_error ("can't create %s: %m", path_dhclient_db); + return 0; +@@ -3400,9 +3400,9 @@ void go_daemon () + close(2); + + /* Reopen them on /dev/null. */ +- open("/dev/null", O_RDWR); +- open("/dev/null", O_RDWR); +- open("/dev/null", O_RDWR); ++ open("/dev/null", O_RDWR | O_CLOEXEC); ++ open("/dev/null", O_RDWR | O_CLOEXEC); ++ open("/dev/null", O_RDWR | O_CLOEXEC); + + write_client_pid_file (); + +@@ -3414,14 +3414,14 @@ void write_client_pid_file () + FILE *pf; + int pfdesc; + +- pfdesc = open (path_dhclient_pid, O_CREAT | O_TRUNC | O_WRONLY, 0644); ++ pfdesc = open (path_dhclient_pid, O_CREAT | O_TRUNC | O_WRONLY | O_CLOEXEC, 0644); + + if (pfdesc < 0) { + log_error ("Can't create %s: %m", path_dhclient_pid); + return; + } + +- pf = fdopen (pfdesc, "w"); ++ pf = fdopen (pfdesc, "we"); + if (!pf) + log_error ("Can't fdopen %s: %m", path_dhclient_pid); + else { +--- common/bpf.c.orig ++++ common/bpf.c +@@ -94,7 +94,7 @@ int if_register_bpf (info) + for (b = 0; 1; b++) { + /* %Audit% 31 bytes max. %2004.06.17,Safe% */ + sprintf(filename, BPF_FORMAT, b); +- sock = open (filename, O_RDWR, 0); ++ sock = open (filename, O_RDWR | O_CLOEXEC, 0); + if (sock < 0) { + if (errno == EBUSY) { + continue; +--- common/discover.c.orig ++++ common/discover.c +@@ -409,7 +409,7 @@ begin_iface_scan(struct iface_conf_list + int len; + int i; + +- ifaces->fp = fopen("/proc/net/dev", "r"); ++ ifaces->fp = fopen("/proc/net/dev", "re"); + if (ifaces->fp == NULL) { + log_error("Error opening '/proc/net/dev' to list interfaces"); + return 0; +@@ -444,7 +444,7 @@ begin_iface_scan(struct iface_conf_list + + #ifdef DHCPv6 + if (local_family == AF_INET6) { +- ifaces->fp6 = fopen("/proc/net/if_inet6", "r"); ++ ifaces->fp6 = fopen("/proc/net/if_inet6", "re"); + if (ifaces->fp6 == NULL) { + log_error("Error opening '/proc/net/if_inet6' to " + "list IPv6 interfaces; %m"); +--- common/dlpi.c.orig ++++ common/dlpi.c +@@ -808,7 +808,7 @@ dlpiopen(const char *ifname) { + } + *dp = '\0'; + +- return open (devname, O_RDWR, 0); ++ return open (devname, O_RDWR | O_CLOEXEC, 0); + } + + /* +--- common/nit.c.orig ++++ common/nit.c +@@ -81,7 +81,7 @@ int if_register_nit (info) + struct strioctl sio; + + /* Open a NIT device */ +- sock = open ("/dev/nit", O_RDWR); ++ sock = open ("/dev/nit", O_RDWR | O_CLOEXEC); + if (sock < 0) + log_fatal ("Can't open NIT device for %s: %m", info -> name); + +--- common/resolv.c.orig ++++ common/resolv.c +@@ -49,7 +49,7 @@ void read_resolv_conf (parse_time) + struct domain_search_list *dp, *dl, *nd; + isc_result_t status; + +- if ((file = open (path_resolv_conf, O_RDONLY)) < 0) { ++ if ((file = open (path_resolv_conf, O_RDONLY | O_CLOEXEC)) < 0) { + log_error ("Can't open %s: %m", path_resolv_conf); + return; + } +--- common/upf.c.orig ++++ common/upf.c +@@ -77,7 +77,7 @@ int if_register_upf (info) + /* %Audit% Cannot exceed 36 bytes. %2004.06.17,Safe% */ + sprintf(filename, "/dev/pf/pfilt%d", b); + +- sock = open (filename, O_RDWR, 0); ++ sock = open (filename, O_RDWR | O_CLOEXEC, 0); + if (sock < 0) { + if (errno == EBUSY) { + continue; +--- dst/dst_api.c.orig ++++ dst/dst_api.c +@@ -437,7 +437,7 @@ dst_s_write_private_key(const DST_KEY *k + PRIVATE_KEY, PATH_MAX); + + /* Do not overwrite an existing file */ +- if ((fp = dst_s_fopen(file, "w", 0600)) != NULL) { ++ if ((fp = dst_s_fopen(file, "we", 0600)) != NULL) { + int nn; + if ((nn = fwrite(encoded_block, 1, len, fp)) != len) { + EREPORT(("dst_write_private_key(): Write failure on %s %d != %d errno=%d\n", +@@ -494,7 +494,7 @@ dst_s_read_public_key(const char *in_nam + * flags, proto, alg stored as decimal (or hex numbers FIXME). + * (FIXME: handle parentheses for line continuation.) + */ +- if ((fp = dst_s_fopen(name, "r", 0)) == NULL) { ++ if ((fp = dst_s_fopen(name, "re", 0)) == NULL) { + EREPORT(("dst_read_public_key(): Public Key not found %s\n", + name)); + return (NULL); +@@ -620,7 +620,7 @@ dst_s_write_public_key(const DST_KEY *ke + return (0); + } + /* create public key file */ +- if ((fp = dst_s_fopen(filename, "w+", 0644)) == NULL) { ++ if ((fp = dst_s_fopen(filename, "w+e", 0644)) == NULL) { + EREPORT(("DST_write_public_key: open of file:%s failed (errno=%d)\n", + filename, errno)); + return (0); +@@ -854,7 +854,7 @@ dst_s_read_private_key_file(char *name, + return (0); + } + /* first check if we can find the key file */ +- if ((fp = dst_s_fopen(filename, "r", 0)) == NULL) { ++ if ((fp = dst_s_fopen(filename, "re", 0)) == NULL) { + EREPORT(("dst_s_read_private_key_file: Could not open file %s in directory %s\n", + filename, dst_path[0] ? dst_path : + (char *) getcwd(NULL, PATH_MAX - 1))); +--- dst/prandom.c.orig ++++ dst/prandom.c +@@ -269,7 +269,7 @@ get_dev_random(u_char *output, unsigned + + s = stat("/dev/random", &st); + if (s == 0 && S_ISCHR(st.st_mode)) { +- if ((fd = open("/dev/random", O_RDONLY | O_NONBLOCK)) != -1) { ++ if ((fd = open("/dev/random", O_RDONLY | O_NONBLOCK | O_CLOEXEC)) != -1) { + if ((n = read(fd, output, size)) < 0) + n = 0; + close(fd); +@@ -480,7 +480,7 @@ digest_file(dst_work *work) + work->file_digest = dst_free_key(work->file_digest); + return (0); + } +- if ((fp = fopen(name, "r")) == NULL) ++ if ((fp = fopen(name, "re")) == NULL) + return (0); + for (no = 0; (i = fread(buf, sizeof(*buf), sizeof(buf), fp)) > 0; + no += i) +--- omapip/trace.c.orig ++++ omapip/trace.c +@@ -141,10 +141,10 @@ isc_result_t trace_begin (const char *fi + return DHCP_R_INVALIDARG; + } + +- traceoutfile = open (filename, O_CREAT | O_WRONLY | O_EXCL, 0600); ++ traceoutfile = open (filename, O_CREAT | O_WRONLY | O_EXCL | O_CLOEXEC, 0600); + if (traceoutfile < 0 && errno == EEXIST) { + log_error ("WARNING: Overwriting trace file \"%s\"", filename); +- traceoutfile = open (filename, O_WRONLY | O_EXCL | O_TRUNC, ++ traceoutfile = open (filename, O_WRONLY | O_EXCL | O_TRUNC | O_CLOEXEC, + 0600); + } + +@@ -431,7 +431,7 @@ void trace_file_replay (const char *file + isc_result_t result; + int len; + +- traceinfile = fopen (filename, "r"); ++ traceinfile = fopen (filename, "re"); + if (!traceinfile) { + log_error("Can't open tracefile %s: %m", filename); + return; +--- relay/dhcrelay.c.orig ++++ relay/dhcrelay.c +@@ -177,11 +177,11 @@ main(int argc, char **argv) { + /* Make sure that file descriptors 0(stdin), 1,(stdout), and + 2(stderr) are open. To do this, we assume that when we + open a file the lowest available file descriptor is used. */ +- fd = open("/dev/null", O_RDWR); ++ fd = open("/dev/null", O_RDWR | O_CLOEXEC); + if (fd == 0) +- fd = open("/dev/null", O_RDWR); ++ fd = open("/dev/null", O_RDWR | O_CLOEXEC); + if (fd == 1) +- fd = open("/dev/null", O_RDWR); ++ fd = open("/dev/null", O_RDWR | O_CLOEXEC); + if (fd == 2) + log_perror = 0; /* No sense logging to /dev/null. */ + else if (fd != -1) +@@ -520,12 +520,12 @@ main(int argc, char **argv) { + exit(0); + + pfdesc = open(path_dhcrelay_pid, +- O_CREAT | O_TRUNC | O_WRONLY, 0644); ++ O_CREAT | O_TRUNC | O_WRONLY | O_CLOEXEC, 0644); + + if (pfdesc < 0) { + log_error("Can't create %s: %m", path_dhcrelay_pid); + } else { +- pf = fdopen(pfdesc, "w"); ++ pf = fdopen(pfdesc, "we"); + if (!pf) + log_error("Can't fdopen %s: %m", + path_dhcrelay_pid); +--- server/confpars.c.orig ++++ server/confpars.c +@@ -116,7 +116,7 @@ isc_result_t read_conf_file (const char + } + #endif + +- if ((file = open (filename, O_RDONLY)) < 0) { ++ if ((file = open (filename, O_RDONLY | O_CLOEXEC)) < 0) { + if (leasep) { + log_error ("Can't open lease database %s: %m --", + path_dhcpd_db); +--- server/db.c.orig ++++ server/db.c +@@ -1035,7 +1035,7 @@ void db_startup (testp) + } + #endif + if (!testp) { +- db_file = fopen (path_dhcpd_db, "a"); ++ db_file = fopen (path_dhcpd_db, "ae"); + if (!db_file) + log_fatal ("Can't open %s for append.", path_dhcpd_db); + expire_all_pools (); +@@ -1074,7 +1074,7 @@ int new_lease_file () + db_validity = lease_file_is_corrupt; + + snprintf (newfname, sizeof(newfname), "%s.XXXXXX", path_dhcpd_db); +- db_fd = mkstemp (newfname); ++ db_fd = mkostemp (newfname, O_CLOEXEC); + if (db_fd < 0) { + log_error ("Can't create new lease file: %m"); + return 0; +@@ -1083,7 +1083,7 @@ int new_lease_file () + log_error ("Can't fchmod new lease file: %m"); + goto fail; + } +- if ((new_db_file = fdopen(db_fd, "w")) == NULL) { ++ if ((new_db_file = fdopen(db_fd, "we")) == NULL) { + log_error("Can't fdopen new lease file: %m"); + close(db_fd); + goto fdfail; +--- server/dhcpd.c.orig ++++ server/dhcpd.c +@@ -272,11 +272,11 @@ main(int argc, char **argv) { + /* Make sure that file descriptors 0 (stdin), 1, (stdout), and + 2 (stderr) are open. To do this, we assume that when we + open a file the lowest available file descriptor is used. */ +- fd = open("/dev/null", O_RDWR); ++ fd = open("/dev/null", O_RDWR | O_CLOEXEC); + if (fd == 0) +- fd = open("/dev/null", O_RDWR); ++ fd = open("/dev/null", O_RDWR | O_CLOEXEC); + if (fd == 1) +- fd = open("/dev/null", O_RDWR); ++ fd = open("/dev/null", O_RDWR | O_CLOEXEC); + if (fd == 2) + log_perror = 0; /* No sense logging to /dev/null. */ + else if (fd != -1) +@@ -800,7 +800,7 @@ main(int argc, char **argv) { + #endif /* PARANOIA */ + + /* Read previous pid file. */ +- if ((i = open (path_dhcpd_pid, O_RDONLY)) >= 0) { ++ if ((i = open (path_dhcpd_pid, O_RDONLY | O_CLOEXEC)) >= 0) { + status = read(i, pbuf, (sizeof pbuf) - 1); + close (i); + if (status > 0) { +@@ -818,7 +818,7 @@ main(int argc, char **argv) { + } + + /* Write new pid file. */ +- if ((i = open(path_dhcpd_pid, O_WRONLY|O_CREAT|O_TRUNC, 0644)) >= 0) { ++ if ((i = open(path_dhcpd_pid, O_WRONLY|O_CREAT|O_TRUNC|O_CLOEXEC, 0644)) >= 0) { + sprintf(pbuf, "%d\n", (int) getpid()); + IGNORE_RET (write(i, pbuf, strlen(pbuf))); + close(i); +@@ -844,9 +844,9 @@ main(int argc, char **argv) { + close(2); + + /* Reopen them on /dev/null. */ +- open("/dev/null", O_RDWR); +- open("/dev/null", O_RDWR); +- open("/dev/null", O_RDWR); ++ open("/dev/null", O_RDWR | O_CLOEXEC); ++ open("/dev/null", O_RDWR | O_CLOEXEC); ++ open("/dev/null", O_RDWR | O_CLOEXEC); + log_perror = 0; /* No sense logging to /dev/null. */ + + IGNORE_RET (chdir("/")); +--- server/ldap.c.orig ++++ server/ldap.c +@@ -1098,7 +1098,7 @@ ldap_start (void) + + if (ldap_debug_file != NULL && ldap_debug_fd == -1) + { +- if ((ldap_debug_fd = open (ldap_debug_file, O_CREAT | O_TRUNC | O_WRONLY, ++ if ((ldap_debug_fd = open (ldap_debug_file, O_CREAT | O_TRUNC | O_WRONLY | O_CLOEXEC, + S_IRUSR | S_IWUSR)) < 0) + log_error ("Error opening debug LDAP log file %s: %s", ldap_debug_file, + strerror (errno)); diff --git a/dhcp.changes b/dhcp.changes index d734575..4713a59 100644 --- a/dhcp.changes +++ b/dhcp.changes @@ -1,3 +1,9 @@ +------------------------------------------------------------------- +Tue May 17 03:58:24 UTC 2011 - crrodriguez@opensuse.org + +- Import redhat's patch to open all needed FDs with O_CLOEXEC + so they dont leak. + ------------------------------------------------------------------- Thu May 12 08:39:03 UTC 2011 - mt@suse.de diff --git a/dhcp.spec b/dhcp.spec index c707dff..0f5a833 100644 --- a/dhcp.spec +++ b/dhcp.spec @@ -87,6 +87,7 @@ Patch40: dhcp-4.1.1-P1-lpf-bind-msg-fix.diff Patch41: dhcp-4.1.1-P1-relay-no-ip-on-interface.diff Patch44: dhcp-4.2.0-xen-checksum.patch Patch45: dhcp-4.2.1-P1-dhclient-option-checks.bnc675052.diff +Patch46: dhcp-4.2.0-CLOEXEC.patch ## PreReq: /bin/touch /sbin/chkconfig sysconfig BuildRoot: %{_tmppath}/%{name}-%{version}-build @@ -227,12 +228,13 @@ Authors: %patch41 -p1 %patch44 -p1 %patch45 -p1 +%patch46 ## find . -type f -name \*.cat\* -exec rm -f {} \; dos2unix contrib/ms2isc/* %build -CFLAGS="$RPM_OPT_FLAGS -W -Wall -fno-strict-aliasing -Wno-unused" +CFLAGS="$RPM_OPT_FLAGS -D_GNU_SOURCE -W -Wall -fno-strict-aliasing -Wno-unused" %ifarch ppc ppc64 s390x # bugs 134590, 171532 CFLAGS="$CFLAGS -fsigned-char"