tcp: apply CLOEXEC to accepted socket, not listener

MegaManSec · cron2 · commit 2aa8550d4444 · 2025-10-28T18:13:17.000+01:00
The accept path calls set_cloexec(sd) after accept(). That re-flags the listening socket, which is already CLOEXEC from create_socket_tcp(), and leaves new_sd inheritable. As a result, client-connect and auth scripts spawned after accept can inherit the connected socket and read or write the raw TCP stream. This defeats the stated intent to prevent scripts from accessing the client socket. This bug was found using ZeroPath. Signed-off-by: Joshua Rogers <MegaManSec@users.noreply.github.com> Acked-by: Gert Doering <gert@greenie.muc.de> Message-Id: <-MNw5Hu8h0rHV18x36ISt7V0UHchIO4i-JoAeV_wlxS1AmDIAe7YVYNput3_r2hiu3HhwxkhGyUhv4-iH_E7mf7nGjvocmGXlDq7Tjly5cE=@joshua.hu> URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg33823.html Signed-off-by: Gert Doering <gert@greenie.muc.de> (cherry picked from commit c0d96fd)
diff --git a/src/openvpn/socket.c b/src/openvpn/socket.c
@@ -1270,7 +1270,7 @@ socket_do_accept(socket_descriptor_t sd,
     {
         /* set socket file descriptor to not pass across execs, so that
          * scripts don't have access to it */
-        set_cloexec(sd);
+        set_cloexec(new_sd);
     }
     return new_sd;
 }

Original file line number	Diff line number	Diff line change
`@@ -1270,7 +1270,7 @@ socket_do_accept(socket_descriptor_t sd,`
`1270`	`1270`	`{`
`1271`	`1271`	`/* set socket file descriptor to not pass across execs, so that`
`1272`	`1272`	`* scripts don't have access to it */`
`1273`		`- set_cloexec(sd);`
	`1273`	`+ set_cloexec(new_sd);`
`1274`	`1274`	`}`
`1275`	`1275`	`return new_sd;`
`1276`	`1276`	`}`