bus signal_handler: call _exit in the unlikely event that the pipe is full or invalid

On OSs with abstract sockets, this is close enough. On OSs without
abstract sockets, this results in failing to clean up Unix sockets
in /tmp if someone has sent us thousands of SIGHUP signals since we
last entered the main loop - I think that's acceptable.

The reload pipe should never get closed, but if it is for some reason,
we want a SIGTERM after that to cause an exit too.

Bug: https://bugs.freedesktop.org/show_bug.cgi?id=38656
Reviewed-by: Will Thompson <will.thompson@collabora.co.uk>

1 files changed, 8 insertions, 2 deletions

diff --git a/bus/main.c b/bus/main.c
index b35ccf62..47f38c8c 100644
--- a/bus/main.c
+++ b/bus/main.c
@@ -101,13 +101,19 @@ signal_handler (int sig)
         DBusString str;
         char action[2] = { ACTION_QUIT, '\0' };
         _dbus_string_init_const (&str, action);
-        if ((reload_pipe[RELOAD_WRITE_END] > 0) &&
+        if ((reload_pipe[RELOAD_WRITE_END] < 0) ||
             !_dbus_write_socket (reload_pipe[RELOAD_WRITE_END], &str, 0, 1))
           {
+            /* If we can't write to the socket, dying seems a more
+             * important response to SIGTERM than cleaning up sockets,
+             * so we exit. We'd use exit(), but that's not async-signal-safe,
+             * so we'll have to resort to _exit(). */
             static const char message[] =
-              "Unable to write to reload pipe - buffer full?\n";
+              "Unable to write termination signal to pipe - buffer full?\n"
+              "Will exit instead.\n";
 
             write (STDERR_FILENO, message, strlen (message));
+            _exit (1);
           }
       }
       break;