git: a37e0e6de652 - main - pf: fix more syncookie memory leaks
Date: Thu, 02 Jun 2022 18:18:10 UTC
The branch main has been updated by kp: URL: https://cgit.FreeBSD.org/src/commit/?id=a37e0e6de6527a7eaddea8e28f5e4b3427fba1a4 commit a37e0e6de6527a7eaddea8e28f5e4b3427fba1a4 Author: Franco Fichtner <franco@opnsense.org> AuthorDate: 2022-06-02 16:27:43 +0000 Commit: Kristof Provost <kp@FreeBSD.org> CommitDate: 2022-06-02 18:17:25 +0000 pf: fix more syncookie memory leaks Allocate memory for packed nvlists in M_NVLIST, as nvlist_pack() does this as well, and we use the same variable interchangable with the memory we allocate. When we free it we can end up freeing from the wrong zone, leaking memory. Reviewed by: kp Differential Revision: https://reviews.freebsd.org/D35385 --- sys/netpfil/pf/pf_ioctl.c | 20 ++++++++++---------- sys/netpfil/pf/pf_syncookies.c | 6 +++--- 2 files changed, 13 insertions(+), 13 deletions(-) diff --git a/sys/netpfil/pf/pf_ioctl.c b/sys/netpfil/pf/pf_ioctl.c index 745b9b69060b..1ccbbd3814ac 100644 --- a/sys/netpfil/pf/pf_ioctl.c +++ b/sys/netpfil/pf/pf_ioctl.c @@ -2722,7 +2722,7 @@ DIOCGETETHRULES_error: if (nv->len > pf_ioctl_maxcount) ERROUT(ENOMEM); - nvlpacked = malloc(nv->len, M_TEMP, M_WAITOK); + nvlpacked = malloc(nv->len, M_NVLIST, M_WAITOK); if (nvlpacked == NULL) ERROUT(ENOMEM); @@ -2763,7 +2763,7 @@ DIOCGETETHRULES_error: nvlist_destroy(nvl); nvl = NULL; - free(nvlpacked, M_TEMP); + free(nvlpacked, M_NVLIST); nvlpacked = NULL; rule = TAILQ_FIRST(rs->active.rules); @@ -2803,7 +2803,7 @@ DIOCGETETHRULES_error: #undef ERROUT DIOCGETETHRULE_error: - free(nvlpacked, M_TEMP); + free(nvlpacked, M_NVLIST); nvlist_destroy(nvl); break; } @@ -2819,7 +2819,7 @@ DIOCGETETHRULE_error: #define ERROUT(x) ERROUT_IOCTL(DIOCADDETHRULE_error, x) - nvlpacked = malloc(nv->len, M_TEMP, M_WAITOK); + nvlpacked = malloc(nv->len, M_NVLIST, M_WAITOK); if (nvlpacked == NULL) ERROUT(ENOMEM); @@ -2922,7 +2922,7 @@ DIOCGETETHRULE_error: #undef ERROUT DIOCADDETHRULE_error: nvlist_destroy(nvl); - free(nvlpacked, M_TEMP); + free(nvlpacked, M_NVLIST); break; } @@ -3117,7 +3117,7 @@ DIOCGETETHRULESET_error: if (nv->len > pf_ioctl_maxcount) ERROUT(ENOMEM); - nvlpacked = malloc(nv->len, M_TEMP, M_WAITOK); + nvlpacked = malloc(nv->len, M_NVLIST, M_WAITOK); error = copyin(nv->data, nvlpacked, nv->len); if (error) ERROUT(error); @@ -3156,13 +3156,13 @@ DIOCGETETHRULESET_error: anchor_call, td); nvlist_destroy(nvl); - free(nvlpacked, M_TEMP); + free(nvlpacked, M_NVLIST); break; #undef ERROUT DIOCADDRULENV_error: pf_krule_free(rule); nvlist_destroy(nvl); - free(nvlpacked, M_TEMP); + free(nvlpacked, M_NVLIST); break; } @@ -6018,7 +6018,7 @@ pf_keepcounters(struct pfioc_nv *nv) if (nv->len > pf_ioctl_maxcount) ERROUT(ENOMEM); - nvlpacked = malloc(nv->len, M_TEMP, M_WAITOK); + nvlpacked = malloc(nv->len, M_NVLIST, M_WAITOK); if (nvlpacked == NULL) ERROUT(ENOMEM); @@ -6037,7 +6037,7 @@ pf_keepcounters(struct pfioc_nv *nv) on_error: nvlist_destroy(nvl); - free(nvlpacked, M_TEMP); + free(nvlpacked, M_NVLIST); return (error); } diff --git a/sys/netpfil/pf/pf_syncookies.c b/sys/netpfil/pf/pf_syncookies.c index 5230502be30c..6a375411d8ea 100644 --- a/sys/netpfil/pf/pf_syncookies.c +++ b/sys/netpfil/pf/pf_syncookies.c @@ -171,7 +171,7 @@ pf_get_syncookies(struct pfioc_nv *nv) #undef ERROUT errout: nvlist_destroy(nvl); - free(nvlpacked, M_TEMP); + free(nvlpacked, M_NVLIST); return (error); } @@ -191,7 +191,7 @@ pf_set_syncookies(struct pfioc_nv *nv) if (nv->len > pf_ioctl_maxcount) return (ENOMEM); - nvlpacked = malloc(nv->len, M_TEMP, M_WAITOK); + nvlpacked = malloc(nv->len, M_NVLIST, M_WAITOK); if (nvlpacked == NULL) return (ENOMEM); @@ -232,7 +232,7 @@ pf_set_syncookies(struct pfioc_nv *nv) #undef ERROUT errout: nvlist_destroy(nvl); - free(nvlpacked, M_TEMP); + free(nvlpacked, M_NVLIST); return (error); }