diff options
| author | Iker Pedrosa <ipedrosa@redhat.com> | 2024-05-22 11:20:02 +0200 |
|---|---|---|
| committer | Dmitry V. Levin <ldv@strace.io> | 2024-05-23 10:25:09 +0000 |
| commit | d00f6cb366b492de455f9b72fcbd2e49abf323e0 (patch) | |
| tree | f919995346a5b04f8f1b47ebe9ec2a7f244a76b7 | |
| parent | 5eccaf9b3488d3f6da800281363697e4e4834e77 (diff) | |
| download | pam-d00f6cb366b492de455f9b72fcbd2e49abf323e0.tar.gz pam-d00f6cb366b492de455f9b72fcbd2e49abf323e0.tar.bz2 pam-d00f6cb366b492de455f9b72fcbd2e49abf323e0.zip | |
pam_rootok: close the audit socket on error path
* modules/pam_rootok/pam_rootok.c (log_callback): Close the audit socket
if vasprintf returned an error.
```
Error: RESOURCE_LEAK (CWE-772):
Linux-PAM-1.6.0/modules/pam_rootok/pam_rootok.c:59: open_fn: Returning handle opened by "audit_open".
Linux-PAM-1.6.0/modules/pam_rootok/pam_rootok.c:59: var_assign: Assigning: "audit_fd" = handle returned from "audit_open()".
Linux-PAM-1.6.0/modules/pam_rootok/pam_rootok.c:69: leaked_handle: Handle variable "audit_fd" going out of scope leaks the handle.
67| va_end(ap);
68| if (ret < 0) {
69|-> return 0;
70| }
71| audit_log_user_avc_message(audit_fd, AUDIT_USER_AVC, buf, NULL, NULL,
```
Resolves: https://issues.redhat.com/browse/RHEL-36475
Signed-off-by: Iker Pedrosa <ipedrosa@redhat.com>
| -rw-r--r-- | modules/pam_rootok/pam_rootok.c | 1 |
1 files changed, 1 insertions, 0 deletions
diff --git a/modules/pam_rootok/pam_rootok.c b/modules/pam_rootok/pam_rootok.c index 6d2dfa07..1b88fb19 100644 --- a/modules/pam_rootok/pam_rootok.c +++ b/modules/pam_rootok/pam_rootok.c @@ -66,6 +66,7 @@ log_callback (int type UNUSED, const char *fmt, ...) ret = vasprintf (&buf, fmt, ap); va_end(ap); if (ret < 0) { + audit_close(audit_fd); return 0; } audit_log_user_avc_message(audit_fd, AUDIT_USER_AVC, buf, NULL, NULL, |