From d95c1e8b65c4ec66b8fcd2f7ede257853a888750 Mon Sep 17 00:00:00 2001
From: Phil Sutter <phil@nwl.cc>
Date: Wed, 19 Sep 2018 15:17:05 +0200
Subject: libxtables: Use posix_spawn() instead of vfork()

According to covscan, vfork() may lead to a deadlock in the parent
process. It suggests to use posix_spawn() instead. Since the latter
combines vfork() and exec() calls, use it for xtables_insmod().

Signed-off-by: Phil Sutter <phil@nwl.cc>
Signed-off-by: Florian Westphal <fw@strlen.de>
---
 libxtables/xtables.c | 15 +++++----------
 1 file changed, 5 insertions(+), 10 deletions(-)

(limited to 'libxtables/xtables.c')

diff --git a/libxtables/xtables.c b/libxtables/xtables.c
index ffd8fbcf..6dd0b152 100644
--- a/libxtables/xtables.c
+++ b/libxtables/xtables.c
@@ -21,6 +21,7 @@
 #include <fcntl.h>
 #include <inttypes.h>
 #include <netdb.h>
+#include <spawn.h>
 #include <stdarg.h>
 #include <stdbool.h>
 #include <stdio.h>
@@ -362,6 +363,7 @@ int xtables_insmod(const char *modname, const char *modprobe, bool quiet)
 	char *buf = NULL;
 	char *argv[4];
 	int status;
+	pid_t pid;
 
 	/* If they don't explicitly set it, read out of kernel */
 	if (!modprobe) {
@@ -382,18 +384,11 @@ int xtables_insmod(const char *modname, const char *modprobe, bool quiet)
 	 */
 	fflush(stdout);
 
-	switch (vfork()) {
-	case 0:
-		execv(argv[0], argv);
-
-		/* not usually reached */
-		_exit(1);
-	case -1:
+	if (posix_spawn(&pid, argv[0], NULL, NULL, argv, NULL)) {
 		free(buf);
 		return -1;
-
-	default: /* parent */
-		wait(&status);
+	} else {
+		waitpid(pid, &status, 0);
 	}
 
 	free(buf);
-- 
cgit v1.2.3