Fix race condition in conf file

Closes Coverity #720457

diff --git a/src/main/conffile.c b/src/main/conffile.c
index 7648221..da1a4c9 100644 (file)
--- a/src/main/conffile.c
+++ b/src/main/conffile.c
@@ -1891,9 +1891,17 @@ int cf_file_include(const char *filename, CONF_SECTION *cs)
 
        DEBUG2( "including configuration file %s", filename);
 
+       fp = fopen(filename, "r");
+       if (!fp) {
+               radlog(L_ERR|L_CONS, "Unable to open file \"%s\": %s",
+                      filename, strerror(errno));
+               return -1;
+       }
+
        if (stat(filename, &statbuf) == 0) {
 #ifdef S_IWOTH
                if ((statbuf.st_mode & S_IWOTH) != 0) {
+                       fclose(fp);
                        radlog(L_ERR|L_CONS, "Configuration file %s is globally writable.  Refusing to start due to insecure configuration.",
                               filename);
                        return -1;
@@ -1902,6 +1910,7 @@ int cf_file_include(const char *filename, CONF_SECTION *cs)
 
 #ifdef S_IROTH
                if (0 && (statbuf.st_mode & S_IROTH) != 0) {
+                       fclose(fp);
                        radlog(L_ERR|L_CONS, "Configuration file %s is globally readable.  Refusing to start due to insecure configuration.",
                               filename);
                        return -1;
@@ -1909,13 +1918,6 @@ int cf_file_include(const char *filename, CONF_SECTION *cs)
 #endif
        }
 
-       fp = fopen(filename, "r");
-       if (!fp) {
-               radlog(L_ERR|L_CONS, "Unable to open file \"%s\": %s",
-                      filename, strerror(errno));
-               return -1;
-       }
-
        if (cf_data_find_internal(cs, filename, PW_TYPE_FILENAME)) {
                fclose(fp);
                radlog(L_ERR, "Cannot include the same file twice: \"%s\"",