From 8167e5ce99682f64918a20966ce393cd33ac67ef Mon Sep 17 00:00:00 2001
From: Lee Duncan <lduncan@suse.com>
Date: Fri, 15 Dec 2017 11:13:29 -0800
Subject: [PATCH 4/7] Do not double-close IPC file stream to iscsid

A double-close of a file descriptor and its associated FILE stream
can be an issue in multi-threaded cases. Found by Qualsys.

CVE: CVE-2017-17840

Upstream-Status: Backport

Signed-off-by: Zhixiong Chi <zhixiong.chi@windriver.com>
---
 iscsiuio/src/unix/iscsid_ipc.c | 9 +++++++--
 1 file changed, 7 insertions(+), 2 deletions(-)

diff --git a/iscsiuio/src/unix/iscsid_ipc.c b/iscsiuio/src/unix/iscsid_ipc.c
index 61e96cc..bde8d66 100644
--- a/iscsiuio/src/unix/iscsid_ipc.c
+++ b/iscsiuio/src/unix/iscsid_ipc.c
@@ -913,6 +913,9 @@ early_exit:
 /**
  *  process_iscsid_broadcast() - This function is used to process the
  *                               broadcast messages from iscsid
+ *
+ *                               s2 is an open file descriptor, which
+ *                               must not be left open upon return
  */
 int process_iscsid_broadcast(int s2)
 {
@@ -928,6 +931,7 @@ int process_iscsid_broadcast(int s2)
 	if (fd == NULL) {
 		LOG_ERR(PFX "Couldn't open file descriptor: %d(%s)",
 			errno, strerror(errno));
+		close(s2);
 		return -EIO;
 	}
 
@@ -1030,7 +1034,8 @@ int process_iscsid_broadcast(int s2)
 	}
 
 error:
-	free(data);
+	if (data)
+		free(data);
 	fclose(fd);
 
 	return rc;
@@ -1132,8 +1137,8 @@ static void *iscsid_loop(void *arg)
 			break;
 		}
 
+		/* this closes the file descriptor s2 */
 		process_iscsid_broadcast(s2);
-		close(s2);
 	}
 
 	pthread_cleanup_pop(0);
-- 
1.9.1