[apparmor] [PATCH] pam_apparmor: Don't leak /dev/urandom fd

Tyler Hicks tyhicks at canonical.com
Mon Feb 1 16:19:24 UTC 2016


If reading /dev/urandom failed, the corresponding file descriptor was
leaked through the error path.

Coverity CID #56012

Signed-off-by: Tyler Hicks <tyhicks at canonical.com>
---

Nominated for trunk, 2.10, and 2.9.

 changehat/pam_apparmor/pam_apparmor.c | 1 +
 1 file changed, 1 insertion(+)

diff --git a/changehat/pam_apparmor/pam_apparmor.c b/changehat/pam_apparmor/pam_apparmor.c
index 21c323f..85b6f7b 100644
--- a/changehat/pam_apparmor/pam_apparmor.c
+++ b/changehat/pam_apparmor/pam_apparmor.c
@@ -111,6 +111,7 @@ int pam_sm_open_session(pam_handle_t *pamh, int flags,
 					  sizeof(magic_token));
 		if (retval < 0) {
 			pam_syslog(pamh, LOG_ERR, "Can't read from /dev/urandom\n");
+			close(fd);
 			return PAM_PERM_DENIED;
 		}
 	} while ((magic_token == 0) || (retval != sizeof(magic_token)));
-- 
2.5.0




More information about the AppArmor mailing list