From c0d96fd8732bd903ab390bb5047a13880cdcac9b Mon Sep 17 00:00:00 2001
From: Joshua Rogers <MegaManSec@users.noreply.github.com>
Date: Wed, 22 Oct 2025 01:20:52 +0800
Subject: [PATCH] tcp: apply CLOEXEC to accepted socket, not listener

The accept path calls set_cloexec(sd) after accept(). That re-flags the
listening socket, which is already CLOEXEC from create_socket_tcp(), and
leaves new_sd inheritable. As a result, client-connect and auth scripts
spawned after accept can inherit the connected socket and read or write
the raw TCP stream. This defeats the stated intent to prevent scripts from
accessing the client socket.

This bug was found using ZeroPath.

Signed-off-by: Joshua Rogers <MegaManSec@users.noreply.github.com>
Acked-by: Gert Doering <gert@greenie.muc.de>
Message-Id: <-MNw5Hu8h0rHV18x36ISt7V0UHchIO4i-JoAeV_wlxS1AmDIAe7YVYNput3_r2hiu3HhwxkhGyUhv4-iH_E7mf7nGjvocmGXlDq7Tjly5cE=@joshua.hu>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg33823.html
Signed-off-by: Gert Doering <gert@greenie.muc.de>
---
 src/openvpn/socket.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/src/openvpn/socket.c b/src/openvpn/socket.c
index 40a86fbb6..8eac96dd0 100644
--- a/src/openvpn/socket.c
+++ b/src/openvpn/socket.c
@@ -836,7 +836,7 @@ socket_do_accept(socket_descriptor_t sd, struct link_socket_actual *act, const b
     {
         /* set socket file descriptor to not pass across execs, so that
          * scripts don't have access to it */
-        set_cloexec(sd);
+        set_cloexec(new_sd);
     }
     return new_sd;
 }
-- 
2.47.3