nsjail: don't add connections to the proxy map if launching a new process failed

diff --git a/nsjail.cc b/nsjail.cc
index 52f85f6a8ba985621c55a7841028ae4e9db062d7..be8b604690eaa6518257b5c855affe2eca801807 100644 (file)
--- a/nsjail.cc
+++ b/nsjail.cc
@@ -240,16 +240,25 @@ static int listenMode(nsjconf_t* nsjconf) {
                                        PLOG_E("pipe");
                                        continue;
                                }
+
                                pid_t pid =
                                    subproc::runChild(nsjconf, connfd, in[0], out[1], out[1]);
-                               nsjconf->pipes.push_back({
-                                   .sock_fd = connfd,
-                                   .pipe_in = in[1],
-                                   .pipe_out = out[0],
-                                   .pid = pid,
-                               });
+
                                close(in[0]);
                                close(out[1]);
+
+                               if (pid <= 0) {
+                                       close(in[1]);
+                                       close(out[0]);
+                                       close(connfd);
+                               } else {
+                                       nsjconf->pipes.push_back({
+                                           .sock_fd = connfd,
+                                           .pipe_in = in[1],
+                                           .pipe_out = out[0],
+                                           .pid = pid,
+                                       });
+                               }
                        }
                }
                subproc::reapProc(nsjconf);