Date: Fri, 4 Jun 2021 09:47:50 GMT From: Kristof Provost <kp@FreeBSD.org> To: src-committers@FreeBSD.org, dev-commits-src-all@FreeBSD.org, dev-commits-src-branches@FreeBSD.org Subject: git: 364c6a71a840 - stable/13 - pf: Fix more ioctl memory leaks Message-ID: <202106040947.1549lod1040105@gitrepo.freebsd.org>
next in thread | raw e-mail | index | archive | help
The branch stable/13 has been updated by kp: URL: https://cgit.FreeBSD.org/src/commit/?id=364c6a71a840e8cf48eeea3bef81623d6f3574ff commit 364c6a71a840e8cf48eeea3bef81623d6f3574ff Author: Kristof Provost <kp@FreeBSD.org> AuthorDate: 2021-06-01 14:05:47 +0000 Commit: Kristof Provost <kp@FreeBSD.org> CommitDate: 2021-06-04 08:12:11 +0000 pf: Fix more ioctl memory leaks We must also remember to free nvlists added to a parent nvlist with nvlist_append_nvlist_array(). More importantly, when nvlist_pack() allocates memory for us it does so in the M_NVLIST zone, so we must free it with free(.., M_NVLIST). Using free(.., M_TEMP) as we did silently failed to free the memory. MFC after: 3 days Reported by: kib@ Tested by: kib@ Sponsored by: Rubicon Communications, LLC ("Netgate") Differential Revision: https://reviews.freebsd.org/D30595 (cherry picked from commit 0f86492b09ca82042166a41f6f21b2dbe4f4a464) --- sys/netpfil/pf/pf_ioctl.c | 27 ++++++++++++++------------- sys/netpfil/pf/pf_nv.c | 1 + 2 files changed, 15 insertions(+), 13 deletions(-) diff --git a/sys/netpfil/pf/pf_ioctl.c b/sys/netpfil/pf/pf_ioctl.c index af89ddf80daf..be7b8be23a31 100644 --- a/sys/netpfil/pf/pf_ioctl.c +++ b/sys/netpfil/pf/pf_ioctl.c @@ -2427,7 +2427,7 @@ DIOCADDRULENV_error: ERROUT(ENOMEM); /* Copy the request in */ - nvlpacked = malloc(nv->len, M_TEMP, M_WAITOK); + nvlpacked = malloc(nv->len, M_NVLIST, M_WAITOK); if (nvlpacked == NULL) ERROUT(ENOMEM); @@ -2505,7 +2505,7 @@ DIOCADDRULENV_error: ERROUT(EBUSY); } - free(nvlpacked, M_TEMP); + free(nvlpacked, M_NVLIST); nvlpacked = nvlist_pack(nvl, &nv->len); if (nvlpacked == NULL) { PF_RULES_WUNLOCK(); @@ -2535,7 +2535,7 @@ DIOCADDRULENV_error: #undef ERROUT DIOCGETRULENV_error: - free(nvlpacked, M_TEMP); + free(nvlpacked, M_NVLIST); nvlist_destroy(nvrule); nvlist_destroy(nvl); @@ -4919,7 +4919,7 @@ pf_killstates_nv(struct pfioc_nv *nv) if (nv->len > pf_ioctl_maxcount) ERROUT(ENOMEM); - nvlpacked = malloc(nv->len, M_TEMP, M_WAITOK); + nvlpacked = malloc(nv->len, M_NVLIST, M_WAITOK); if (nvlpacked == NULL) ERROUT(ENOMEM); @@ -4937,7 +4937,7 @@ pf_killstates_nv(struct pfioc_nv *nv) error = pf_killstates(&kill, &killed); - free(nvlpacked, M_TEMP); + free(nvlpacked, M_NVLIST); nvlpacked = NULL; nvlist_destroy(nvl); nvl = nvlist_create(0); @@ -4959,7 +4959,7 @@ pf_killstates_nv(struct pfioc_nv *nv) on_error: nvlist_destroy(nvl); - free(nvlpacked, M_TEMP); + free(nvlpacked, M_NVLIST); return (error); } @@ -4977,7 +4977,7 @@ pf_clearstates_nv(struct pfioc_nv *nv) if (nv->len > pf_ioctl_maxcount) ERROUT(ENOMEM); - nvlpacked = malloc(nv->len, M_TEMP, M_WAITOK); + nvlpacked = malloc(nv->len, M_NVLIST, M_WAITOK); if (nvlpacked == NULL) ERROUT(ENOMEM); @@ -4995,7 +4995,7 @@ pf_clearstates_nv(struct pfioc_nv *nv) killed = pf_clear_states(&kill); - free(nvlpacked, M_TEMP); + free(nvlpacked, M_NVLIST); nvlpacked = NULL; nvlist_destroy(nvl); nvl = nvlist_create(0); @@ -5018,7 +5018,7 @@ pf_clearstates_nv(struct pfioc_nv *nv) #undef ERROUT on_error: nvlist_destroy(nvl); - free(nvlpacked, M_TEMP); + free(nvlpacked, M_NVLIST); return (error); } @@ -5036,7 +5036,7 @@ pf_getstate(struct pfioc_nv *nv) if (nv->len > pf_ioctl_maxcount) ERROUT(ENOMEM); - nvlpacked = malloc(nv->len, M_TEMP, M_WAITOK); + nvlpacked = malloc(nv->len, M_NVLIST, M_WAITOK); if (nvlpacked == NULL) ERROUT(ENOMEM); @@ -5055,7 +5055,7 @@ pf_getstate(struct pfioc_nv *nv) if (s == NULL) ERROUT(ENOENT); - free(nvlpacked, M_TEMP); + free(nvlpacked, M_NVLIST); nvlpacked = NULL; nvlist_destroy(nvl); nvl = nvlist_create(0); @@ -5084,7 +5084,7 @@ pf_getstate(struct pfioc_nv *nv) errout: if (s != NULL) PF_STATE_UNLOCK(s); - free(nvlpacked, M_TEMP); + free(nvlpacked, M_NVLIST); nvlist_destroy(nvl); return (error); } @@ -5126,6 +5126,7 @@ pf_getstates(struct pfioc_nv *nv) goto DIOCGETSTATESNV_full; } nvlist_append_nvlist_array(nvl, "states", nvls); + nvlist_destroy(nvls); count++; } PF_HASHROW_UNLOCK(ih); @@ -5152,7 +5153,7 @@ DIOCGETSTATESNV_full: #undef ERROUT errout: - free(nvlpacked, M_TEMP); + free(nvlpacked, M_NVLIST); nvlist_destroy(nvl); return (error); } diff --git a/sys/netpfil/pf/pf_nv.c b/sys/netpfil/pf/pf_nv.c index 863259dbf9aa..dab72f04d138 100644 --- a/sys/netpfil/pf/pf_nv.c +++ b/sys/netpfil/pf/pf_nv.c @@ -846,6 +846,7 @@ pf_state_key_to_nvstate_key(const struct pf_state_key *key) if (tmp == NULL) goto errout; nvlist_append_nvlist_array(nvl, "addr", tmp); + nvlist_destroy(tmp); nvlist_append_number_array(nvl, "port", key->port[i]); } nvlist_add_number(nvl, "af", key->af);
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?202106040947.1549lod1040105>