From: William Lallemand <wlallemand@haproxy.com>
Date: Mon, 16 Mar 2026 15:08:45 +0000 (+0100)
Subject: BUG/MINOR: sockpair: set FD_CLOEXEC on fd received via SCM_RIGHTS
X-Git-Tag: v3.4-dev7~39
X-Git-Url: http://git.ipfire.org/gitweb.cgi?a=commitdiff_plain;h=ab7acdcc3a01afc3bf9988bf00b25dd6a4152c59;p=thirdparty%2Fhaproxy.git

BUG/MINOR: sockpair: set FD_CLOEXEC on fd received via SCM_RIGHTS

FDs received through recv_fd_uxst() do not have FD_CLOEXEC set.
The equivalent sock_accept_conn() already handles this correctly:
any FD accepted or received in the master must be marked close-on-exec
to avoid leaking it across the execvp() performed on soft-reload.

This is currently triggering a leak in the master since 3.1: the worker
sends a socketpair fd to the master  to issue the _send_status CLI
command, and recv_fd_uxst() receive it without setting FD_CLOEXEC.  If a
re-exec is emitted before the master had the chance to close that fd, it
survives execvp() and appears as an untracked unnamed AF_UNIX socket in
the new master generation.

This must be backported to all maintained branches.
---

diff --git a/src/proto_sockpair.c b/src/proto_sockpair.c
index da39c5e9e..840cd4010 100644
--- a/src/proto_sockpair.c
+++ b/src/proto_sockpair.c
@@ -488,8 +488,11 @@ struct connection *sockpair_accept_conn(struct listener *l, int *status)
 	int ret;
 	int cfd;
 
-	if ((cfd = recv_fd_uxst(l->rx.fd)) != -1)
+	if ((cfd = recv_fd_uxst(l->rx.fd)) != -1) {
 		fd_set_nonblock(cfd);
+		if (master)
+			fd_set_cloexec(cfd);
+	}
 
 	if (likely(cfd != -1)) {
 		/* Perfect, the connection was accepted */