git: ed82385135cc - stable/14 - pf: fix state leak

From: Kristof Provost <kp_at_FreeBSD.org>
Date: Mon, 25 Sep 2023 12:27:00 UTC 
The branch stable/14 has been updated by kp:

URL: https://cgit.FreeBSD.org/src/commit/?id=ed82385135cca73ab0416600269ace3e5bb4cd6c

commit ed82385135cca73ab0416600269ace3e5bb4cd6c
Author:     Kristof Provost <kp@FreeBSD.org>
AuthorDate: 2023-09-06 07:58:07 +0000
Commit:     Kristof Provost <kp@FreeBSD.org>
CommitDate: 2023-09-25 12:10:59 +0000

    pf: fix state leak
    
    If we hit the csfailed case in pf_create_state() we may have allocated
    a state, so we must also free it. While here reduce the amount of
    duplicated cleanup code.
    
    MFC after:      2 weeks
    Sponsored by:   Rubicon Communications, LLC ("Netgate")
    Differential Revision:  https://reviews.freebsd.org/D41772
    
    (cherry picked from commit b6ce41118bb11d3db86eae8fbebc8c198e8b330d)
---
 sys/netpfil/pf/pf.c | 21 ++++++++++-----------
 1 file changed, 10 insertions(+), 11 deletions(-)

diff --git a/sys/netpfil/pf/pf.c b/sys/netpfil/pf/pf.c
index a5d7c1ba0155..7cee0833072b 100644
--- a/sys/netpfil/pf/pf.c
+++ b/sys/netpfil/pf/pf.c
@@ -4881,13 +4881,8 @@ pf_create_state(struct pf_krule *r, struct pf_krule *nr, struct pf_krule *a,
 	if (r->rt) {
 		/* pf_map_addr increases the reason counters */
 		if ((reason = pf_map_addr(pd->af, r, pd->src, &s->rt_addr,
-		    &s->rt_kif, NULL, &sn)) != 0) {
-			pf_src_tree_remove_state(s);
-			s->timeout = PFTM_UNLINKED;
-			STATE_DEC_COUNTERS(s);
-			pf_free_state(s);
+		    &s->rt_kif, NULL, &sn)) != 0)
 			goto csfailed;
-		}
 		s->rt = r->rt;
 	}
 
@@ -4946,11 +4941,7 @@ pf_create_state(struct pf_krule *r, struct pf_krule *nr, struct pf_krule *a,
 	    (pd->dir == PF_IN) ? sk : nk,
 	    (pd->dir == PF_IN) ? nk : sk, s)) {
 		REASON_SET(&reason, PFRES_STATEINS);
-		pf_src_tree_remove_state(s);
-		s->timeout = PFTM_UNLINKED;
-		STATE_DEC_COUNTERS(s);
-		pf_free_state(s);
-		return (PF_DROP);
+		goto drop;
 	} else
 		*sm = s;
 
@@ -5019,6 +5010,14 @@ csfailed:
 		PF_SRC_NODE_UNLOCK(nsn);
 	}
 
+drop:
+	if (s != NULL) {
+		pf_src_tree_remove_state(s);
+		s->timeout = PFTM_UNLINKED;
+		STATE_DEC_COUNTERS(s);
+		pf_free_state(s);
+	}
+
 	return (PF_DROP);
 }