From: Valentine Krasnobaeva <vkrasnobaeva@haproxy.com>
Date: Fri, 22 Aug 2025 07:55:40 +0000 (+0200)
Subject: MINOR: dns: dns_connect_nameserver: fix fd leak at error path
X-Git-Tag: v3.1.9~72
X-Git-Url: http://git.haproxy.org/?a=commitdiff_plain;h=c97e6b15503b4cd233f1eccf09d07bc16a375933;p=haproxy-3.1.git

MINOR: dns: dns_connect_nameserver: fix fd leak at error path

This fixes the commit 2c7e05f80e3b
("MEDIUM: dns: don't call connect to dest socket for AF_INET*"). If we fail to
bind AF_INET sockets or the address family of the nameserver protocol isn't
something, what we expect, we need to close the fd, obtained by
connect.

This fixes the issue GitHub #3085
This must be backported along with the commit 2c7e05f80e3b.

(cherry picked from commit 0dc8d8d027114262bc470d94ecc2664523961446)
Signed-off-by: Christopher Faulet <cfaulet@haproxy.com>
(cherry picked from commit 8452cf3ea382d381e6dfc496374d4da2c862909f)
Signed-off-by: Christopher Faulet <cfaulet@haproxy.com>
---

diff --git a/src/dns.c b/src/dns.c
index f3c3a57..18cb79c 100644
--- a/src/dns.c
+++ b/src/dns.c
@@ -77,6 +77,7 @@ static int dns_connect_nameserver(struct dns_nameserver *ns)
 			send_log(NULL, LOG_WARNING,
 				 "DNS : section '%s': can't bind socket for nameserver '%s' on 0.0.0.0:0.\n",
 				 ns->counters->pid, ns->id);
+			close(fd);
 			return -1;
 		}
 		break;
@@ -93,6 +94,7 @@ static int dns_connect_nameserver(struct dns_nameserver *ns)
 			send_log(NULL, LOG_WARNING,
 				 "DNS : section '%s': can't bind socket for nameserver '%s' on :::0.\n",
 				 ns->counters->pid, ns->id);
+			close(fd);
 			return -1;
 		}
 		break;
@@ -110,6 +112,7 @@ static int dns_connect_nameserver(struct dns_nameserver *ns)
 		}
 		break;
 	default:
+		close(fd);
 		BUG_ON(1, "DNS: Unsupported address family.");
 	}