From: Marc Jorge <openbsd@cypher-fox.com>
Subject: relayd: close duplicated fds on error
To: tech@openbsd.org
Date: Fri, 3 Apr 2026 18:19:11 +0200

Hello,

Duplicated fds are not properly closed in config_setrelayfd() and
config_setrelay() when an error occurs.


diff -u -p -u -r1.49 config.c
--- usr.sbin/relayd/config.c	3 Apr 2026 09:36:21 -0000	1.49
+++ usr.sbin/relayd/config.c	3 Apr 2026 16:16:48 -0000
@@ -814,8 +814,10 @@ config_setrelayfd(struct privsep *ps, in
  	if ((fd = dup(ofd)) == -1)
  		return (-1);
  	if (proc_compose_imsg(ps, id, n, IMSG_CFG_RELAY_FD, -1, fd,
-	    &rfd, sizeof(rfd)) != 0)
+	    &rfd, sizeof(rfd)) != 0) {
+		close(fd);
  		return (-1);
+	}

  	return (0);
  }
@@ -872,6 +874,7 @@ config_setrelay(struct relayd *env, stru
  					log_warn("%s: failed to compose "
  					    "IMSG_CFG_RELAY imsg for `%s'",
  					    __func__, rlay->rl_conf.name);
+					close(fd);
  					return (-1);
  				}
  				/* Prevent fd exhaustion in the parent. */
@@ -879,6 +882,7 @@ config_setrelay(struct relayd *env, stru
  					log_warn("%s: failed to flush "
  					    "IMSG_CFG_RELAY imsg for `%s'",
  					    __func__, rlay->rl_conf.name);
+					close(fd);
  					return (-1);
  				}
  			}