From bbe948ae58314ce3395d39e0fe49cdba309c29df Mon Sep 17 00:00:00 2001
From: Robin Hack <rhack@redhat.com>
Date: Mon, 25 Aug 2014 17:30:01 +0200
Subject: pam_filter: Avoid leaking descriptors when fork() fails.

modules/pam_filter/pam_filter.c (set_filter): Close descriptors when fork() fails.
---
 modules/pam_filter/pam_filter.c | 5 +++++
 1 file changed, 5 insertions(+)

diff --git a/modules/pam_filter/pam_filter.c b/modules/pam_filter/pam_filter.c
index da98148f..9935d994 100644
--- a/modules/pam_filter/pam_filter.c
+++ b/modules/pam_filter/pam_filter.c
@@ -341,6 +341,11 @@ set_filter (pam_handle_t *pamh, int flags UNUSED, int ctrl,
 	pam_syslog(pamh, LOG_WARNING, "first fork failed: %m");
 	if (aterminal) {
 		(void) tcsetattr(STDIN_FILENO, TCSAFLUSH, &stored_mode);
+		close(fd[0]);
+	} else {
+		/* Socket pair */
+		close(fd[0]);
+		close(fd[1]);
 	}
 
 	return PAM_AUTH_ERR;
-- 
cgit v1.2.3