From f28fccd2db929e7034874cf795af0433d8deb467 Mon Sep 17 00:00:00 2001 From: Yossi Gottlieb Date: Thu, 21 Jan 2021 19:55:42 +0200 Subject: [PATCH] Fix anetCloexec for Sentinel TLS conns. (#8377) The flag should be set before TLS negotiation begins to avoid a race condition where a fork+exec before it is completed ends up leaking the file descriptor. --- src/sentinel.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/src/sentinel.c b/src/sentinel.c index 9da7732a0..75030df78 100644 --- a/src/sentinel.c +++ b/src/sentinel.c @@ -2126,6 +2126,7 @@ void sentinelReconnectInstance(sentinelRedisInstance *ri) { /* Commands connection. */ if (link->cc == NULL) { link->cc = redisAsyncConnectBind(ri->addr->ip,ri->addr->port,NET_FIRST_BIND_ADDR); + if (!link->cc->err) anetCloexec(link->cc->c.fd); if (!link->cc->err && server.tls_replication && (instanceLinkNegotiateTLS(link->cc) == C_ERR)) { sentinelEvent(LL_DEBUG,"-cmd-link-reconnection",ri,"%@ #Failed to initialize TLS"); @@ -2135,7 +2136,6 @@ void sentinelReconnectInstance(sentinelRedisInstance *ri) { link->cc->errstr); instanceLinkCloseConnection(link,link->cc); } else { - anetCloexec(link->cc->c.fd); link->pending_commands = 0; link->cc_conn_time = mstime(); link->cc->data = link; @@ -2154,6 +2154,7 @@ void sentinelReconnectInstance(sentinelRedisInstance *ri) { /* Pub / Sub */ if ((ri->flags & (SRI_MASTER|SRI_SLAVE)) && link->pc == NULL) { link->pc = redisAsyncConnectBind(ri->addr->ip,ri->addr->port,NET_FIRST_BIND_ADDR); + if (!link->pc->err) anetCloexec(link->pc->c.fd); if (!link->pc->err && server.tls_replication && (instanceLinkNegotiateTLS(link->pc) == C_ERR)) { sentinelEvent(LL_DEBUG,"-pubsub-link-reconnection",ri,"%@ #Failed to initialize TLS"); @@ -2163,7 +2164,6 @@ void sentinelReconnectInstance(sentinelRedisInstance *ri) { instanceLinkCloseConnection(link,link->pc); } else { int retval; - anetCloexec(link->pc->c.fd); link->pc_conn_time = mstime(); link->pc->data = link; redisAeAttach(server.el,link->pc);