From d2b5f7223abe4825410392a54ac34dc973465faf Mon Sep 17 00:00:00 2001
From: Ross Lagerwall <rosslagerwall@gmail.com>
Date: Sat, 11 Feb 2012 17:23:17 +0200
Subject: [PATCH 1/2] Make uses of open() close-on-exec safe by introducing
 evutil_open_closeonexec.

In a multi-process/threaded environment, opening fds internally
without the close-on-exec flag could leak fds to child processes.
---
 arc4random.c    |  4 ++--
 devpoll.c       |  2 +-
 evutil.c        | 23 ++++++++++++++++++++++-
 util-internal.h |  2 ++
 4 files changed, 27 insertions(+), 4 deletions(-)

diff --git a/arc4random.c b/arc4random.c
index ee2b73a2..cabc46f4 100644
--- a/arc4random.c
+++ b/arc4random.c
@@ -260,7 +260,7 @@ arc4_seed_proc_sys_kernel_random_uuid(void)
 	unsigned char entropy[64];
 	int bytes, n, i, nybbles;
 	for (bytes = 0; bytes<ADD_ENTROPY; ) {
-		fd = open("/proc/sys/kernel/random/uuid", O_RDONLY, 0);
+		fd = evutil_open_closeonexec("/proc/sys/kernel/random/uuid", O_RDONLY, 0);
 		if (fd < 0)
 			return -1;
 		n = read(fd, buf, sizeof(buf));
@@ -304,7 +304,7 @@ arc4_seed_urandom(void)
 	size_t n;
 
 	for (i = 0; filenames[i]; ++i) {
-		fd = open(filenames[i], O_RDONLY, 0);
+		fd = evutil_open_closeonexec(filenames[i], O_RDONLY, 0);
 		if (fd<0)
 			continue;
 		n = read_all(fd, buf, sizeof(buf));
diff --git a/devpoll.c b/devpoll.c
index 0c7214b7..f99cc013 100644
--- a/devpoll.c
+++ b/devpoll.c
@@ -129,7 +129,7 @@ devpoll_init(struct event_base *base)
 		nfiles = rl.rlim_cur;
 
 	/* Initialize the kernel queue */
-	if ((dpfd = open("/dev/poll", O_RDWR)) == -1) {
+	if ((dpfd = evutil_open_closeonexec("/dev/poll", O_RDWR, 0)) == -1) {
 		event_warn("open: /dev/poll");
 		mm_free(devpollop);
 		return (NULL);
diff --git a/evutil.c b/evutil.c
index 56c99097..7e392790 100644
--- a/evutil.c
+++ b/evutil.c
@@ -87,6 +87,27 @@
 #define stat _stati64
 #endif
 
+int
+evutil_open_closeonexec(const char *pathname, int flags, mode_t mode)
+{
+	int fd;
+
+#ifdef O_CLOEXEC
+	flags |= O_CLOEXEC;
+#endif
+
+	fd = open(pathname, flags, mode);
+	if (fd < 0)
+		return -1;
+
+#if !defined(O_CLOEXEC) && defined(FD_CLOEXEC)
+	if (fcntl(fd, F_SETFD, FD_CLOEXEC) < 0)
+		return -1;
+#endif
+
+	return fd;
+}
+
 /**
    Read the contents of 'filename' into a newly allocated NUL-terminated
    string.  Set *content_out to hold this string, and *len_out to hold its
@@ -117,7 +138,7 @@ evutil_read_file(const char *filename, char **content_out, size_t *len_out,
 		mode |= O_BINARY;
 #endif
 
-	fd = open(filename, mode);
+	fd = evutil_open_closeonexec(filename, mode, 0);
 	if (fd < 0)
 		return -1;
 	if (fstat(fd, &st) || st.st_size < 0 ||
diff --git a/util-internal.h b/util-internal.h
index d51bc000..d09aa471 100644
--- a/util-internal.h
+++ b/util-internal.h
@@ -161,6 +161,8 @@ char EVUTIL_TOLOWER(char c);
 #define EVUTIL_UPCAST(ptr, type, field)				\
 	((type *)(((char*)(ptr)) - evutil_offsetof(type, field)))
 
+int evutil_open_closeonexec(const char *pathname, int flags, mode_t mode);
+
 int evutil_read_file(const char *filename, char **content_out, size_t *len_out,
     int is_binary);
 

From 03dce42dfa0380a96bdfc2e9c18b15318ec0ba5b Mon Sep 17 00:00:00 2001
From: Nick Mathewson <nickm@torproject.org>
Date: Sat, 11 Feb 2012 21:17:18 -0500
Subject: [PATCH 2/2] Tweak the evutil_open_closeonexec patch to work on
 windows, old unixes.

Windows doesn't have a mode_t as far as I can tell.

Some unixes, iirc, don't like three-argument open without O_CREAT.
---
 evutil.c        | 7 +++++--
 util-internal.h | 5 ++++-
 2 files changed, 9 insertions(+), 3 deletions(-)

diff --git a/evutil.c b/evutil.c
index 7e392790..b6634591 100644
--- a/evutil.c
+++ b/evutil.c
@@ -88,7 +88,7 @@
 #endif
 
 int
-evutil_open_closeonexec(const char *pathname, int flags, mode_t mode)
+evutil_open_closeonexec(const char *pathname, int flags, unsigned mode)
 {
 	int fd;
 
@@ -96,7 +96,10 @@ evutil_open_closeonexec(const char *pathname, int flags, mode_t mode)
 	flags |= O_CLOEXEC;
 #endif
 
-	fd = open(pathname, flags, mode);
+	if (flags & O_CREAT)
+		fd = open(pathname, flags, (mode_t)mode);
+	else
+		fd = open(pathname, flags);
 	if (fd < 0)
 		return -1;
 
diff --git a/util-internal.h b/util-internal.h
index d09aa471..47fe962d 100644
--- a/util-internal.h
+++ b/util-internal.h
@@ -161,7 +161,10 @@ char EVUTIL_TOLOWER(char c);
 #define EVUTIL_UPCAST(ptr, type, field)				\
 	((type *)(((char*)(ptr)) - evutil_offsetof(type, field)))
 
-int evutil_open_closeonexec(const char *pathname, int flags, mode_t mode);
+/* As open(pathname, flags, mode), except that the file is always opened with
+ * the close-on-exec flag set. (And the mode argument is mandatory.)
+ */
+int evutil_open_closeonexec(const char *pathname, int flags, unsigned mode);
 
 int evutil_read_file(const char *filename, char **content_out, size_t *len_out,
     int is_binary);