From: Valentine Krasnobaeva <vkrasnobaeva@haproxy.com>
Date: Fri, 22 Aug 2025 07:55:40 +0000 (+0200)
Subject: MINOR: dns: dns_connect_nameserver: fix fd leak at error path
X-Git-Tag: v3.3-dev8~119
X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=0dc8d8d027114262bc470d94ecc2664523961446;p=thirdparty%2Fhaproxy.git

MINOR: dns: dns_connect_nameserver: fix fd leak at error path

This fixes the commit 2c7e05f80e3b
("MEDIUM: dns: don't call connect to dest socket for AF_INET*"). If we fail to
bind AF_INET sockets or the address family of the nameserver protocol isn't
something, what we expect, we need to close the fd, obtained by
connect.

This fixes the issue GitHub #3085
This must be backported along with the commit 2c7e05f80e3b.
---

diff --git a/src/dns.c b/src/dns.c
index e02eb1bdc..ed10b5cae 100644
--- a/src/dns.c
+++ b/src/dns.c
@@ -77,6 +77,7 @@ static int dns_connect_nameserver(struct dns_nameserver *ns)
 			send_log(NULL, LOG_WARNING,
 				 "DNS : section '%s': can't bind socket for nameserver '%s' on 0.0.0.0:0.\n",
 				 ns->counters->pid, ns->id);
+			close(fd);
 			return -1;
 		}
 		break;
@@ -93,6 +94,7 @@ static int dns_connect_nameserver(struct dns_nameserver *ns)
 			send_log(NULL, LOG_WARNING,
 				 "DNS : section '%s': can't bind socket for nameserver '%s' on :::0.\n",
 				 ns->counters->pid, ns->id);
+			close(fd);
 			return -1;
 		}
 		break;
@@ -110,6 +112,7 @@ static int dns_connect_nameserver(struct dns_nameserver *ns)
 		}
 		break;
 	default:
+		close(fd);
 		BUG_ON(1, "DNS: Unsupported address family.");
 	}