Fix race condition in conf file

Closes Coverity #720457
FreeRADIUS · Feb 17, 2013 · 47317e7 · 47317e7
1 parent 31018af
commit 47317e7
Showing 1 changed file with 9 additions and 7 deletions.
diff --git a/src/main/conffile.c b/src/main/conffile.c
@@ -1844,9 +1844,17 @@ int cf_file_include(const char *filename, CONF_SECTION *cs)
 
 	DEBUG2( "including configuration file %s", filename);
 
+	fp = fopen(filename, "r");
+	if (!fp) {
+		radlog(L_ERR|L_CONS, "Unable to open file \"%s\": %s",
+		       filename, strerror(errno));
+		return -1;
+	}
+
 	if (stat(filename, &statbuf) == 0) {
 #ifdef S_IWOTH
 		if ((statbuf.st_mode & S_IWOTH) != 0) {
+			fclose(fp);
 			radlog(L_ERR|L_CONS, "Configuration file %s is globally writable.  Refusing to start due to insecure configuration.",
 			       filename);
 			return -1;
@@ -1855,20 +1863,14 @@ int cf_file_include(const char *filename, CONF_SECTION *cs)
 
 #ifdef S_IROTH
 		if (0 && (statbuf.st_mode & S_IROTH) != 0) {
+			fclose(fp);
 			radlog(L_ERR|L_CONS, "Configuration file %s is globally readable.  Refusing to start due to insecure configuration.",
 			       filename);
 			return -1;
 		}
 #endif
 	}
 
-	fp = fopen(filename, "r");
-	if (!fp) {
-		radlog(L_ERR|L_CONS, "Unable to open file \"%s\": %s",
-		       filename, strerror(errno));
-		return -1;
-	}
-
 	if (cf_data_find_internal(cs, filename, PW_TYPE_FILENAME)) {
 		fclose(fp);
 		radlog(L_ERR, "Cannot include the same file twice: \"%s\"",