From ff2d32822a2f73beb07d0a95a61b78ea0f66618b Mon Sep 17 00:00:00 2001
From: mdw <mdw>
Date: Thu, 18 Jun 1998 15:10:44 +0000
Subject: [PATCH] SECURITY HOLE: the file descriptor for the secret key was
 left open and inherited by the target process.  This is now fixed.  Also set
 close-on-exec flags on key file, close config file carefully, and close UDP
 socket after receiving reply from server.

---
 src/check.c | 18 ++++++++++++++++--
 1 file changed, 16 insertions(+), 2 deletions(-)

diff --git a/src/check.c b/src/check.c
index a2d13b5..f0a98b7 100644
--- a/src/check.c
+++ b/src/check.c
@@ -1,6 +1,6 @@
 /* -*-c-*-
  *
- * $Id: check.c,v 1.7 1998/04/23 13:22:08 mdw Exp $
+ * $Id: check.c,v 1.8 1998/06/18 15:10:44 mdw Exp $
  *
  * Check validity of requests
  *
@@ -29,6 +29,12 @@
 /*----- Revision history --------------------------------------------------*
  *
  * $Log: check.c,v $
+ * Revision 1.8  1998/06/18 15:10:44  mdw
+ * SECURITY HOLE: the file descriptor for the secret key was left open and
+ * inherited by the target process.  This is now fixed.  Also set
+ * close-on-exec flags on key file, close config file carefully, and close
+ * UDP socket after receiving reply from server.
+ *
  * Revision 1.7  1998/04/23 13:22:08  mdw
  * Support no-network configuration option, and new interface to
  * configuration file parser.
@@ -77,6 +83,7 @@
 
 #include <arpa/inet.h>
 
+#include <fcntl.h>
 #include <netdb.h>
 #include <unistd.h>
 
@@ -166,7 +173,12 @@ static int check__ask(request *rq, struct sockaddr_in *serv, size_t n_serv)
       die("couldn't open key file `%s': %s", file_KEY,
 	  strerror(errno));
     }
+    if (fcntl(fileno(fp), F_SETFD, 1) < 0) {
+      die("couldn't set close-on-exec on key file `%s': %s", file_KEY,
+	  strerror(errno));
+    }
     tx_getBits(k, 128, fp);
+    fclose(fp);
 
     /* --- Now build a request packet --- */
 
@@ -300,7 +312,7 @@ static int check__ask(request *rq, struct sockaddr_in *serv, size_t n_serv)
 	  T( trace(TRACE_CLIENT, "client: reply from unknown host"); )
 	  continue;
 	}
-    
+
 	/* --- Unpack and verify the response --- */
 
 	answer = crypt_unpackReply(buff, sk, t, pid);
@@ -309,6 +321,7 @@ static int check__ask(request *rq, struct sockaddr_in *serv, size_t n_serv)
 		   "client: invalid or corrupt reply packet"); )
 	  continue;
 	}
+	close(fd);
 	return (answer);
       }
     }
@@ -554,6 +567,7 @@ int check(request *rq)
   rule_init();
   lexer_scan(fp);
   parse();
+  fclose(fp);
 
   return (rule_check(rq));
 }
-- 
2.11.0