From 4b2823784aab04a70dfc295b16fd6f0592955790 Mon Sep 17 00:00:00 2001
From: David Gibson <david@gibson.dropbear.id.au>
Date: Wed, 13 May 2026 17:18:21 +1000
Subject: tcp: Don't leak sockets on error paths

tcp_listen_handler() has several error paths that will cancel the creation
of a new flow, after having accept()ed an incoming socket connection.
Coverity pointed out that in those cases we leak the new socket.  Correct
this by properly closing the socket.  Make sure to also set SO_LINGER so
that the peer will get an RST.

Signed-off-by: David Gibson <david@gibson.dropbear.id.au>
Signed-off-by: Stefano Brivio <sbrivio@redhat.com>
---
 tcp.c | 9 ++++++---
 1 file changed, 6 insertions(+), 3 deletions(-)

diff --git a/tcp.c b/tcp.c
index 67f7fb8..0fb8da0 100644
--- a/tcp.c
+++ b/tcp.c
@@ -2578,11 +2578,11 @@ void tcp_listen_handler(const struct ctx *c, union epoll_ref ref,
 
 		err("Invalid endpoint from TCP accept(): %s",
 		    sockaddr_ntop(&sa, sastr, sizeof(sastr)));
-		goto cancel;
+		goto rst;
 	}
 
 	if (!flow_target(c, flow, ref.listen.rule, IPPROTO_TCP))
-		goto cancel;
+		goto rst;
 
 	switch (flow->f.pif[TGTSIDE]) {
 	case PIF_SPLICE:
@@ -2598,11 +2598,14 @@ void tcp_listen_handler(const struct ctx *c, union epoll_ref ref,
 		flow_err(flow, "No support for forwarding TCP from %s to %s",
 			 pif_name(flow->f.pif[INISIDE]),
 			 pif_name(flow->f.pif[TGTSIDE]));
-		goto cancel;
+		goto rst;
 	}
 
 	return;
 
+rst:
+	tcp_linger0(flow, s);
+	close(s);
 cancel:
 	flow_alloc_cancel(flow);
 }
-- 
cgit v1.2.3