From c5a42e932f948cdb2d76a8c79bfaebd6c8cf6376 Mon Sep 17 00:00:00 2001
From: =?utf8?q?Stefan=20B=C3=BChler?= <stbuehler@web.de>
Date: Mon, 14 Mar 2016 18:07:01 +0000
Subject: [PATCH] [mod_fastcgi,mod_scgi] fix leaking file-descriptor when
 backend spawning failed (reported by Fortify Open Review Project)
MIME-Version: 1.0
Content-Type: text/plain; charset=utf8
Content-Transfer-Encoding: 8bit

Reference: Fortify Open Review Project - lighttpd 1.4.39
    ID 22708161 - Unreleased Resource
    ID 22708163 - Unreleased Resource

From: Stefan Bühler <stbuehler@web.de>

git-svn-id: svn://svn.lighttpd.net/lighttpd/branches/lighttpd-1.4.x@3097 152afb58-edef-0310-8abb-c4023f1b3aa9
---
 NEWS              |  1 +
 src/mod_fastcgi.c | 32 +++++++++++++++++++++-----------
 src/mod_scgi.c    | 33 ++++++++++++++++++++++-----------
 3 files changed, 44 insertions(+), 22 deletions(-)

diff --git a/NEWS b/NEWS
index fdee1b3f..081169de 100644
--- a/NEWS
+++ b/NEWS
@@ -26,6 +26,7 @@ NEWS
   * [mod_proxy] use case-insensitive comparision to filter headers, send Connection: Close to backend (fixes #421)
   * [mod_dirlisting] dir-listing.hide-dotfiles = "enabled" by default (fixes #1081)
   * [mod_secdownload] fix buffer overflow in secdl_verify_mac (reported by Fortify Open Review Project)
+  * [mod_fastcgi,mod_scgi] fix leaking file-descriptor when backend spawning failed (reported by Fortify Open Review Project)
 
 - 1.4.39 - 2016-01-02
   * [core] fix memset_s call (fixes #2698)
diff --git a/src/mod_fastcgi.c b/src/mod_fastcgi.c
index 171d6cf7..c9effacc 100644
--- a/src/mod_fastcgi.c
+++ b/src/mod_fastcgi.c
@@ -834,10 +834,24 @@ static int parse_binpath(char_array *env, buffer *b) {
 	return 0;
 }
 
+#if !defined(HAVE_FORK)
 static int fcgi_spawn_connection(server *srv,
-				 plugin_data *p,
-				 fcgi_extension_host *host,
-				 fcgi_proc *proc) {
+                                 plugin_data *p,
+                                 fcgi_extension_host *host,
+                                 fcgi_proc *proc) {
+	UNUSED(srv);
+	UNUSED(p);
+	UNUSED(host);
+	UNUSED(proc);
+	return -1;
+}
+
+#else /* -> defined(HAVE_FORK) */
+
+static int fcgi_spawn_connection(server *srv,
+                                 plugin_data *p,
+                                 fcgi_extension_host *host,
+                                 fcgi_proc *proc) {
 	int fcgi_fd;
 	int socket_type, status;
 	struct timeval tv = { 0, 100 * 1000 };
@@ -849,10 +863,6 @@ static int fcgi_spawn_connection(server *srv,
 
 	socklen_t servlen;
 
-#ifndef HAVE_FORK
-	return -1;
-#endif
-
 	if (p->conf.debug) {
 		log_error_write(srv, __FILE__, __LINE__, "sdb",
 				"new proc, socket:", proc->port, proc->unixsocket);
@@ -986,7 +996,6 @@ static int fcgi_spawn_connection(server *srv,
 			return -1;
 		}
 
-#ifdef HAVE_FORK
 		switch ((child = fork())) {
 		case 0: {
 			size_t i = 0;
@@ -1082,9 +1091,11 @@ static int fcgi_spawn_connection(server *srv,
 		}
 		case -1:
 			/* error */
+			close(fcgi_fd);
 			break;
 		default:
 			/* father */
+			close(fcgi_fd);
 
 			/* wait */
 			select(0, NULL, NULL, NULL, &tv);
@@ -1134,8 +1145,8 @@ static int fcgi_spawn_connection(server *srv,
 
 			break;
 		}
-#endif
 	} else {
+		close(fcgi_fd);
 		proc->is_local = 0;
 		proc->pid = 0;
 
@@ -1149,11 +1160,10 @@ static int fcgi_spawn_connection(server *srv,
 	proc->state = PROC_STATE_RUNNING;
 	host->active_procs++;
 
-	close(fcgi_fd);
-
 	return 0;
 }
 
+#endif /* HAVE_FORK */
 
 SETDEFAULTS_FUNC(mod_fastcgi_set_defaults) {
 	plugin_data *p = p_d;
diff --git a/src/mod_scgi.c b/src/mod_scgi.c
index bd2dbb67..0bd96c34 100644
--- a/src/mod_scgi.c
+++ b/src/mod_scgi.c
@@ -641,10 +641,24 @@ static int env_add(char_array *env, const char *key, size_t key_len, const char
 	return 0;
 }
 
+#if !defined(HAVE_FORK)
 static int scgi_spawn_connection(server *srv,
-				 plugin_data *p,
-				 scgi_extension_host *host,
-				 scgi_proc *proc) {
+                                 plugin_data *p,
+                                 scgi_extension_host *host,
+                                 scgi_proc *proc) {
+	UNUSED(srv);
+	UNUSED(p);
+	UNUSED(host);
+	UNUSED(proc);
+	return -1;
+}
+
+#else /* -> defined(HAVE_FORK) */
+
+static int scgi_spawn_connection(server *srv,
+                                 plugin_data *p,
+                                 scgi_extension_host *host,
+                                 scgi_proc *proc) {
 	int scgi_fd;
 	int socket_type, status;
 	struct timeval tv = { 0, 100 * 1000 };
@@ -656,10 +670,6 @@ static int scgi_spawn_connection(server *srv,
 
 	socklen_t servlen;
 
-#ifndef HAVE_FORK
-	return -1;
-#endif
-
 	if (p->conf.debug) {
 		log_error_write(srv, __FILE__, __LINE__, "sdb",
 				"new proc, socket:", proc->port, proc->socket);
@@ -780,7 +790,6 @@ static int scgi_spawn_connection(server *srv,
 			return -1;
 		}
 
-#ifdef HAVE_FORK
 		switch ((child = fork())) {
 		case 0: {
 			buffer *b;
@@ -861,9 +870,11 @@ static int scgi_spawn_connection(server *srv,
 		}
 		case -1:
 			/* error */
+			close(scgi_fd);
 			break;
 		default:
 			/* father */
+			close(scgi_fd);
 
 			/* wait */
 			select(0, NULL, NULL, NULL, &tv);
@@ -902,8 +913,9 @@ static int scgi_spawn_connection(server *srv,
 
 			break;
 		}
-#endif
 	} else {
+		close(scgi_fd);
+
 		proc->is_local = 0;
 		proc->pid = 0;
 
@@ -917,11 +929,10 @@ static int scgi_spawn_connection(server *srv,
 	proc->state = PROC_STATE_RUNNING;
 	host->active_procs++;
 
-	close(scgi_fd);
-
 	return 0;
 }
 
+#endif /* HAVE_FORK */
 
 SETDEFAULTS_FUNC(mod_scgi_set_defaults) {
 	plugin_data *p = p_d;
-- 
2.11.4.GIT