On memory allocation and other errors, res_vinit_1 returns directly: ssize_t ret = __getline (&parser->buffer, &buffer_size, fp); if (ret <= 0) { if (_IO_ferror_unlocked (fp)) return false; else break; } … cp = __strdup (cp); if (cp == NULL) return false; … cp = __strdup (cp); if (cp == NULL) return false; But __resolv_conf_load expects res_vinit_1 to always close the stream. The best fix is probably to change res_vinit_1 not to take ownership. I'm flagging this as security- despite the descriptor resource leak because it is not likely that it is possible to trigger this at will.
The master branch has been updated by Florian Weimer <fw@sourceware.org>: https://sourceware.org/git/gitweb.cgi?p=glibc.git;h=a1a20f029299dc27170912bb9233070c8403444d commit a1a20f029299dc27170912bb9233070c8403444d Author: Florian Weimer <fweimer@redhat.com> Date: Tue Jan 21 17:11:01 2020 +0100 resolv: Fix file handle leak in __resolv_conf_load [BZ #25429] res_vinit_1 did not close the stream on errors, only on success. This change moves closing the stream to __resolv_conf_load, for both the success and error cases. Fixes commit 89f187a40fc0ad4e22838526bfe34d73f758b776 ("resolv: Use getline for configuration file reading in res_vinit_1") and commit 3f853f22c87f0b671c0366eb290919719fa56c0e ("resolv: Lift domain search list limits [BZ #19569] [BZ #21475]"), where memory allocation was introduced into res_vinit_1. Reviewed-by: Adhemerval Zanella <adhemerval.zanella@linaro.org>
Fixed in glibc 2.32.