From fred@dev.clift.org  Fri May  3 10:16:57 2002
Return-Path: <fred@dev.clift.org>
Received: from dev.clift.org (dentedarmor.com [63.230.22.59])
	by hub.freebsd.org (Postfix) with ESMTP id 1979637B41D
	for <FreeBSD-gnats-submit@freebsd.org>; Fri,  3 May 2002 10:16:12 -0700 (PDT)
Received: (from fred@localhost)
	by dev.clift.org (8.11.6/8.9.3) id g43HF9s92692;
	Fri, 3 May 2002 11:15:09 -0600 (MDT)
	(envelope-from fred)
Message-Id: <200205031715.g43HF9s92692@dev.clift.org>
Date: Fri, 3 May 2002 11:15:09 -0600 (MDT)
From: Fred Clift <fred@clift.org>
Reply-To: Fred Clift <fred@clift.org>
To: FreeBSD-gnats-submit@freebsd.org
Cc:
Subject: [PATCH] calls to libc locatime can leak open file descriptors
X-Send-Pr-Version: 3.113
X-GNATS-Notify:

>Number:         37717
>Category:       bin
>Synopsis:       [PATCH] calls to libc locatime can leak open file descriptors
>Confidential:   no
>Severity:       non-critical
>Priority:       low
>Responsible:    freebsd-bugs
>State:          closed
>Quarter:        
>Keywords:       
>Date-Required:  
>Class:          sw-bug
>Submitter-Id:   current-users
>Arrival-Date:   Fri May 03 10:20:01 PDT 2002
>Closed-Date:    Tue Aug 13 09:09:38 PDT 2002
>Last-Modified:  Tue Aug 13 09:09:38 PDT 2002
>Originator:     Fred Clift
>Release:        FreeBSD 4.5-STABLE i386 and -CURRENT too
>Organization:
on behalf ov NTT/Verio hosting	
>Environment:
System: FreeBSD -STABLE and -CURRENT, any platform 


>Description:

Clearly wrong behavior in libc's localtime.c - in tzload() in src/lib/libc/stdtime/localtime.c to be precise.
There is a sanity check at the end to make sure that the file that was opened was indeed a regular file
and not say, a directory, or device, etc...  If the call to fstat succedes we _must_ have had an open file
descriptor (in an automatic variable) which it doesn't close before the immediate  'return -1;'.

hence, open file descriptor leaking  


>How-To-Repeat:

write a program that calls localtime.  Misconfigure /usr/share/zoneinfo/GMT to be a directory instead of a 
file and run your program.  Thats it.  Yes, this takes a misconfiguration to tickle, but since it is that 
misconfiguration that the code is checking for, we should fix it.

There is a case where this was discovered was when running proftpd and letting it try and chroot - seems chroot 
fails when you have an open descriptor of a directory (could use the open descriptor to break out of the chroot).


>Fix:

patches for -stable and -current are:


** $FreeBSD: src/lib/libc/stdtime/localtime.c,v 1.25.2.1 2001/03/05 11:37:21 obrien Exp $


--- localtime.c.old     Tue Apr 30 09:21:42 2002
+++ localtime.c Tue Apr 30 09:20:52 2002
@@ -316,8 +316,10 @@
                        return -1;
                if ((fid = _open(name, OPEN_MODE)) == -1)
                        return -1;
-               if ((_fstat(fid, &stab) < 0) || !S_ISREG(stab.st_mode))
+               if ((_fstat(fid, &stab) < 0) || !S_ISREG(stab.st_mode)) {
+                       close(fid);
                        return -1;
+               }
        }
        {
                struct tzhead * tzhp;

(head)
__FBSDID("$FreeBSD: src/lib/libc/stdtime/localtime.c,v 1.30 2002/03/22 21:53:13 obrien Exp $");



--- localtime.c.old     Mon Mar  5 04:37:21 2001
+++ localtime.c Tue Apr 30 09:13:58 2002
@@ -315,8 +315,10 @@
                        return -1;
                if ((fid = _open(name, OPEN_MODE)) == -1)
                        return -1;
-               if ((fstat(fid, &stab) < 0) || !S_ISREG(stab.st_mode))
+               if ((fstat(fid, &stab) < 0) || !S_ISREG(stab.st_mode)) {
+                       close(fid);
                        return -1;
+               }
        }
        {
                struct tzhead * tzhp;


>Release-Note:
>Audit-Trail:
State-Changed-From-To: open->analyzed 
State-Changed-By: wollman 
State-Changed-When: Fri May 3 12:15:54 PDT 2002 
State-Changed-Why:  
Analysis appears to be correct and committed to current. 

http://www.freebsd.org/cgi/query-pr.cgi?pr=37717 
State-Changed-From-To: analyzed->patched 
State-Changed-By: ache 
State-Changed-When: Sat Jun 8 13:43:07 PDT 2002 
State-Changed-Why:  
This PR state should be "patched" according to guideline 

http://www.freebsd.org/cgi/query-pr.cgi?pr=37717 
State-Changed-From-To: patched->closed 
State-Changed-By: bmilekic 
State-Changed-When: Tue Aug 13 08:46:25 PDT 2002 
State-Changed-Why:  
MFC'd to RELENG_4 as per request of submitter. Fix has been 
sitting in HEAD for over 3 months. 

http://www.freebsd.org/cgi/query-pr.cgi?pr=37717 
>Unformatted:
