Skip site navigation (1)Skip section navigation (2) 
Date:      Mon, 6 Jun 2022 11:45:55 GMT
From:      Kristof Provost <kp@FreeBSD.org>
To:        src-committers@FreeBSD.org, dev-commits-src-all@FreeBSD.org, dev-commits-src-branches@FreeBSD.org
Subject:   git: 4f9d5dcc4510 - stable/13 - pf: fix more syncookie memory leaks
Message-ID:  <202206061145.256BjtvR054110@gitrepo.freebsd.org>
next in thread | raw e-mail | index | archive | help 
The branch stable/13 has been updated by kp:

URL: https://cgit.FreeBSD.org/src/commit/?id=4f9d5dcc451042d0cc03cdb20fba77eaa66097c8

commit 4f9d5dcc451042d0cc03cdb20fba77eaa66097c8
Author:     Franco Fichtner <franco@opnsense.org>
AuthorDate: 2022-06-02 16:27:43 +0000
Commit:     Kristof Provost <kp@FreeBSD.org>
CommitDate: 2022-06-06 07:01:34 +0000

    pf: fix more syncookie memory leaks
    
    Allocate memory for packed nvlists in M_NVLIST, as nvlist_pack() does
    this as well, and we use the same variable interchangable with the
    memory we allocate. When we free it we can end up freeing from the wrong
    zone, leaking memory.
    
    Reviewed by:    kp
    Differential Revision:  https://reviews.freebsd.org/D35385
    
    (cherry picked from commit a37e0e6de6527a7eaddea8e28f5e4b3427fba1a4)
---
 sys/netpfil/pf/pf_ioctl.c      | 10 +++++-----
 sys/netpfil/pf/pf_syncookies.c |  6 +++---
 2 files changed, 8 insertions(+), 8 deletions(-)

diff --git a/sys/netpfil/pf/pf_ioctl.c b/sys/netpfil/pf/pf_ioctl.c
index fd0eb5b85299..6820d1f909e5 100644
--- a/sys/netpfil/pf/pf_ioctl.c
+++ b/sys/netpfil/pf/pf_ioctl.c
@@ -2352,7 +2352,7 @@ pfioctl(struct cdev *dev, u_long cmd, caddr_t addr, int flags, struct thread *td
 		if (nv->len > pf_ioctl_maxcount)
 			ERROUT(ENOMEM);
 
-		nvlpacked = malloc(nv->len, M_TEMP, M_WAITOK);
+		nvlpacked = malloc(nv->len, M_NVLIST, M_WAITOK);
 		error = copyin(nv->data, nvlpacked, nv->len);
 		if (error)
 			ERROUT(error);
@@ -2391,13 +2391,13 @@ pfioctl(struct cdev *dev, u_long cmd, caddr_t addr, int flags, struct thread *td
 		    anchor_call, td);
 
 		nvlist_destroy(nvl);
-		free(nvlpacked, M_TEMP);
+		free(nvlpacked, M_NVLIST);
 		break;
 #undef ERROUT
 DIOCADDRULENV_error:
 		pf_krule_free(rule);
 		nvlist_destroy(nvl);
-		free(nvlpacked, M_TEMP);
+		free(nvlpacked, M_NVLIST);
 
 		break;
 	}
@@ -5172,7 +5172,7 @@ pf_keepcounters(struct pfioc_nv *nv)
 	if (nv->len > pf_ioctl_maxcount)
 		ERROUT(ENOMEM);
 
-	nvlpacked = malloc(nv->len, M_TEMP, M_WAITOK);
+	nvlpacked = malloc(nv->len, M_NVLIST, M_WAITOK);
 	if (nvlpacked == NULL)
 		ERROUT(ENOMEM);
 
@@ -5191,7 +5191,7 @@ pf_keepcounters(struct pfioc_nv *nv)
 
 on_error:
 	nvlist_destroy(nvl);
-	free(nvlpacked, M_TEMP);
+	free(nvlpacked, M_NVLIST);
 	return (error);
 }
 
diff --git a/sys/netpfil/pf/pf_syncookies.c b/sys/netpfil/pf/pf_syncookies.c
index 5230502be30c..6a375411d8ea 100644
--- a/sys/netpfil/pf/pf_syncookies.c
+++ b/sys/netpfil/pf/pf_syncookies.c
@@ -171,7 +171,7 @@ pf_get_syncookies(struct pfioc_nv *nv)
 #undef ERROUT
 errout:
 	nvlist_destroy(nvl);
-	free(nvlpacked, M_TEMP);
+	free(nvlpacked, M_NVLIST);
 
 	return (error);
 }
@@ -191,7 +191,7 @@ pf_set_syncookies(struct pfioc_nv *nv)
 	if (nv->len > pf_ioctl_maxcount)
 		return (ENOMEM);
 
-	nvlpacked = malloc(nv->len, M_TEMP, M_WAITOK);
+	nvlpacked = malloc(nv->len, M_NVLIST, M_WAITOK);
 	if (nvlpacked == NULL)
 		return (ENOMEM);
 
@@ -232,7 +232,7 @@ pf_set_syncookies(struct pfioc_nv *nv)
 #undef ERROUT
 errout:
 	nvlist_destroy(nvl);
-	free(nvlpacked, M_TEMP);
+	free(nvlpacked, M_NVLIST);
 
 	return (error);
 }

Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?202206061145.256BjtvR054110>