From 08dab29d9e5091557b457642c8fec0ccd9e2f09c Mon Sep 17 00:00:00 2001
From: Rob Crittenden <rcritten@redhat.com>
Date: Jan 12 2021 15:44:26 +0000
Subject: If calling a CA helper fails, call cm_casave_done to reap


CA helper calls to certmaster when the certmaster helper wasn't
installed was causing 8 zombie processes (one for each query).

It is due to waitpid() not being called on them.

https://pagure.io/certmonger/issue/185

---

diff --git a/src/cadata.c b/src/cadata.c
index 3e916c9..cb9c13e 100644
--- a/src/cadata.c
+++ b/src/cadata.c
@@ -771,8 +771,7 @@ cm_cadata_start_generic(struct cm_store_ca *ca, const char *op,
 	if (read(error_fd[0], &u, 1) == 1) {
 		cm_log(1, "Error running enrollment helper \"%s\": %s.\n",
 		       ca->cm_ca_external_helper, strerror(u));
-		talloc_free(ret);
-		return NULL;
+		/* return the state so the process can be reaped */
 	}
 	return ret;
 }
diff --git a/src/iterate.c b/src/iterate.c
index e6f1097..b855950 100644
--- a/src/iterate.c
+++ b/src/iterate.c
@@ -2358,6 +2358,10 @@ cm_iterate_ca(struct cm_store_ca *ca,
 			break;
 		}
 		if (state->cm_task_state == NULL) {
+			if (ca->cm_ca_type == cm_ca_external) {
+				/* Reap any failed child processes to prevent zombies */
+				cm_casave_done(state->cm_casave_state);
+			}
 			ca->cm_ca_state[state->cm_phase] = CM_CA_DISABLED;
 			*when = cm_time_now;
 		} else {