>Number:         3798
>Category:       bin
>Synopsis:       File descriptor leak in pppd
>Confidential:   no
>Severity:       non-critical
>Priority:       medium
>Responsible:    bin-bug-people (Utility Bug People)
>State:          open
>Class:          sw-bug
>Submitter-Id:   net
>Arrival-Date:   Thu Jun 26 21:50:01 1997
>Last-Modified:
>Originator:     Dave Huang
>Organization:
Name: Dave Huang     |   Mammal, mammal / their names are called /
INet: khym@bga.com   |   they raise a paw / the bat, the cat /
FurryMUCK: Dahan     |   dolphin and dog / koala bear and hog -- TMBG
Dahan: Hani G Y+C 21 Y++ L+++ W- C++ T++ A+ E+ S++ V++ F- Q+++ P+ B+ PA+ PL++
>Release:        NetBSD-current as of June 26, 1997
>Environment:
	
System: NetBSD dahan.metonymy.com 1.2G NetBSD 1.2G (SPIFF) #56: Thu Jun 26 19:56:38 CDT 1997 khym@dahan.metonymy.com:/usr/src.local/sys/arch/i386/compile/SPIFF i386


>Description:
When using PAP authentication, pppd opens the pap-secrets file, but
never closes it. If pppd is set to dial on demand and disconnect when
idle, after a few disconnect/reconnects, pppd will hit its open file
descriptor limit and quit working.

>How-To-Repeat:
Running dial on demand ppp for a while seems to do it for me... doing
a "fstat -p" on the pppd process shows a bunch of open descriptors for
pap-secrets.

>Fix:
--- /usr/src/usr.sbin/pppd/pppd/auth.c	Sun May 18 06:27:26 1997
+++ auth.c	Thu Jun 26 19:38:52 1997
@@ -879,6 +879,7 @@
 {
     char *filename;
     FILE *f;
+    int ret;
     struct wordlist *addrs;
     char secret[MAXWORDLEN];
 
@@ -888,9 +889,11 @@
     if (f == NULL)
 	return 0;
     check_access(f, filename);
-    if (scan_authfile(f, user,
+    ret = scan_authfile(f, user,
 		      remote_name[0]? remote_name: NULL,
-		      (u_int32_t)0, secret, NULL, filename) < 0)
+		      (u_int32_t)0, secret, NULL, filename);
+    fclose(f);
+    if (ret < 0)
 	return 0;
     if (passwd != NULL) {
 	strncpy(passwd, secret, MAXSECRETLEN);
>Audit-Trail:
>Unformatted: