From eae5e0f3a3a5b08a843756093dc3bfd0f4068108 Mon Sep 17 00:00:00 2001
From: Tobias Klauser <tklauser@distanz.ch>
Date: Thu, 23 Sep 2021 12:05:13 +0200
Subject: tun: avoid leaking sock fd in CreateTUN error cases

At these points, the socket file descriptor is not yet wrapped in an
*os.File, so it needs to be closed explicitly on error.

Signed-off-by: Tobias Klauser <tklauser@distanz.ch>
Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>
---
 tun/tun_linux.go | 11 +++++++----
 1 file changed, 7 insertions(+), 4 deletions(-)

(limited to 'tun/tun_linux.go')

diff --git a/tun/tun_linux.go b/tun/tun_linux.go
index 466a805..1cc84cb 100644
--- a/tun/tun_linux.go
+++ b/tun/tun_linux.go
@@ -419,6 +419,7 @@ func CreateTUN(name string, mtu int) (Device, error) {
 	var flags uint16 = unix.IFF_TUN // | unix.IFF_NO_PI (disabled for TUN status hack)
 	nameBytes := []byte(name)
 	if len(nameBytes) >= unix.IFNAMSIZ {
+		unix.Close(nfd)
 		return nil, fmt.Errorf("interface name too long: %w", unix.ENAMETOOLONG)
 	}
 	copy(ifr[:], nameBytes)
@@ -431,17 +432,19 @@ func CreateTUN(name string, mtu int) (Device, error) {
 		uintptr(unsafe.Pointer(&ifr[0])),
 	)
 	if errno != 0 {
+		unix.Close(nfd)
 		return nil, errno
 	}
-	err = unix.SetNonblock(nfd, true)
-
-	// Note that the above -- open,ioctl,nonblock -- must happen prior to handing it to netpoll as below this line.
 
-	fd := os.NewFile(uintptr(nfd), cloneDevicePath)
+	err = unix.SetNonblock(nfd, true)
 	if err != nil {
+		unix.Close(nfd)
 		return nil, err
 	}
 
+	// Note that the above -- open,ioctl,nonblock -- must happen prior to handing it to netpoll as below this line.
+
+	fd := os.NewFile(uintptr(nfd), cloneDevicePath)
 	return CreateTUNFromFile(fd, mtu)
 }
 
-- 
cgit v1.2.3-59-g8ed1b