[apparmor] [PATCH] pam_apparmor: Don't leak /dev/urandom fd
Tyler Hicks
tyhicks at canonical.com
Mon Feb 1 16:19:24 UTC 2016
If reading /dev/urandom failed, the corresponding file descriptor was
leaked through the error path.
Coverity CID #56012
Signed-off-by: Tyler Hicks <tyhicks at canonical.com>
---
Nominated for trunk, 2.10, and 2.9.
changehat/pam_apparmor/pam_apparmor.c | 1 +
1 file changed, 1 insertion(+)
diff --git a/changehat/pam_apparmor/pam_apparmor.c b/changehat/pam_apparmor/pam_apparmor.c
index 21c323f..85b6f7b 100644
--- a/changehat/pam_apparmor/pam_apparmor.c
+++ b/changehat/pam_apparmor/pam_apparmor.c
@@ -111,6 +111,7 @@ int pam_sm_open_session(pam_handle_t *pamh, int flags,
sizeof(magic_token));
if (retval < 0) {
pam_syslog(pamh, LOG_ERR, "Can't read from /dev/urandom\n");
+ close(fd);
return PAM_PERM_DENIED;
}
} while ((magic_token == 0) || (retval != sizeof(magic_token)));
--
2.5.0
More information about the AppArmor
mailing list