From nobody Tue Nov 04 01:11:34 2025
X-Original-To: dev-commits-src-all@mlmmj.nyi.freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1])
	by mlmmj.nyi.freebsd.org (Postfix) with ESMTP id 4d0r526N1fz6G8yj;
	Tue, 04 Nov 2025 01:11:34 +0000 (UTC)
	(envelope-from git@FreeBSD.org)
Received: from mxrelay.nyi.freebsd.org (mxrelay.nyi.freebsd.org [IPv6:2610:1c1:1:606c::19:3])
	(using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
	 key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256
	 client-signature RSA-PSS (4096 bits) client-digest SHA256)
	(Client CN "mxrelay.nyi.freebsd.org", Issuer "R12" (verified OK))
	by mx1.freebsd.org (Postfix) with ESMTPS id 4d0r525dr8z3yfQ;
	Tue, 04 Nov 2025 01:11:34 +0000 (UTC)
	(envelope-from git@FreeBSD.org)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org; s=dkim;
	t=1762218694;
	h=from:from:reply-to:subject:subject:date:date:message-id:message-id:
	 to:to:cc:mime-version:mime-version:content-type:content-type:
	 content-transfer-encoding:content-transfer-encoding;
	bh=ik5BUcCqMEkbTWMKietnsZBuB+ruWMQgc+QjLPi9Oz8=;
	b=aLPtGycojQA0UzzAG12XSBoA1q05HH6yEBUP7glNxZIu57rjQv0G7YSTz7MeYhluNxjrDh
	juMrmlX+4eWWsqrMP8hkqWqtxMzjt+MPl/2h58+apoCGv7rRkm70zvuIyIBXl9bGOJwZgM
	l4Se+Tb6p5YWw3zwzftoNrZOdZeo833GZIvxD65b+Al+QnZieijkPrJhDy9SiegRnFKLY1
	G4ypr6IAAdq30t6eZoz1WR1j4BfVjBDIgDJw04AuCZ++q1pqsFTDegTE4II/CM6T3IEIRm
	jEkDCr2bsEscHmUL+PzKH0+q2W0tfr5hJ163Mc3m/77y/9rdMYVCTERQBKVRrA==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org;
	s=dkim; t=1762218694;
	h=from:from:reply-to:subject:subject:date:date:message-id:message-id:
	 to:to:cc:mime-version:mime-version:content-type:content-type:
	 content-transfer-encoding:content-transfer-encoding;
	bh=ik5BUcCqMEkbTWMKietnsZBuB+ruWMQgc+QjLPi9Oz8=;
	b=Qke74v9npRONBh1Sxp9YAgIhMWXJ4ItN7aXufTkS0c7uOKjFUVON8IHkWdjwlNhKc0VjR7
	rabGiC3VZYYTdHmc0B5juLVJNMqKDSL9WnGjHwOwoR5zCyjvGCbidAFyjbpTBvuvlhB22O
	FbFhxJDwXzVpqxUkAajte85M1FWKRZLD+vyDVl3NiB9EKd7xDCxtHID/fes7AAWKXTMrgP
	C50Sy4DaBd2DHCpjg+kAMdnraexPfLCbwlOohJ/OLX9BpFV/6/gWWO+xjDZwlJXgkm5513
	zqBG1MC/b6UaApVXBp/Qo/QIm1Ke1R902kdgs1ieB+hl+MZ6EYAJAXoJFS7HUA==
ARC-Seal: i=1; s=dkim; d=freebsd.org; t=1762218694; a=rsa-sha256; cv=none;
	b=Bgg54zE7g2wwrEw0vsmLV3y9ROkja8R6D9Cu37o1ZsJ0SaEVte88cwTZgr0Qls9cQrfjnX
	88lK8pXHboCqdv8upohNBSnocuBMpPut9sELrPCZ0yT+4aP39cHrUG2GWbQispcYmKh07C
	VDH7XL9Wh8VHtjxY6gA/6xjllw30kobEq5yVPX0BgNB01t/72m9zTe0tfUtZmq+OabZDWs
	A2jNQykOo9KefjsUFnk1IcHq5Uuum6Z2LAmYHAeEMzzjKLXQeuUBWwSsmcH4s75/4Hcag2
	t5TrnAKBRDsQiGPKQCRjqyC8ERwuRHHpeOObC7XNMbG2+zKHC5yYGVQpDSl4Ng==
ARC-Authentication-Results: i=1;
	mx1.freebsd.org;
	none
Received: from gitrepo.freebsd.org (gitrepo.freebsd.org [IPv6:2610:1c1:1:6068::e6a:5])
	(using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
	 key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256)
	(Client did not present a certificate)
	by mxrelay.nyi.freebsd.org (Postfix) with ESMTPS id 4d0r525CDVzcH9;
	Tue, 04 Nov 2025 01:11:34 +0000 (UTC)
	(envelope-from git@FreeBSD.org)
Received: from gitrepo.freebsd.org ([127.0.1.44])
	by gitrepo.freebsd.org (8.18.1/8.18.1) with ESMTP id 5A41BY2x093392;
	Tue, 4 Nov 2025 01:11:34 GMT
	(envelope-from git@gitrepo.freebsd.org)
Received: (from git@localhost)
	by gitrepo.freebsd.org (8.18.1/8.18.1/Submit) id 5A41BY8N093389;
	Tue, 4 Nov 2025 01:11:34 GMT
	(envelope-from git)
Date: Tue, 4 Nov 2025 01:11:34 GMT
Message-Id: <202511040111.5A41BY8N093389@gitrepo.freebsd.org>
To: src-committers@FreeBSD.org, dev-commits-src-all@FreeBSD.org,
        dev-commits-src-main@FreeBSD.org
From: Lexi Winter <ivy@FreeBSD.org>
Subject: git: 0899f7a3b791 - main - ifconfig: Fix invalid free()
  in ifbridge
List-Id: Commit messages for all branches of the src repository <dev-commits-src-all.freebsd.org>
List-Archive: https://lists.freebsd.org/archives/dev-commits-src-all
List-Help: <mailto:dev-commits-src-all+help@freebsd.org>
List-Post: <mailto:dev-commits-src-all@freebsd.org>
List-Subscribe: <mailto:dev-commits-src-all+subscribe@freebsd.org>
List-Unsubscribe: <mailto:dev-commits-src-all+unsubscribe@freebsd.org>
X-BeenThere: dev-commits-src-all@freebsd.org
Sender: owner-dev-commits-src-all@FreeBSD.org
MIME-Version: 1.0
Content-Type: text/plain; charset=utf-8
Content-Transfer-Encoding: 8bit
X-Git-Committer: ivy
X-Git-Repository: src
X-Git-Refname: refs/heads/main
X-Git-Reftype: branch
X-Git-Commit: 0899f7a3b791ed4878e7cb3859636ec980c76832
Auto-Submitted: auto-generated

The branch main has been updated by ivy:

URL: https://cgit.FreeBSD.org/src/commit/?id=0899f7a3b791ed4878e7cb3859636ec980c76832

commit 0899f7a3b791ed4878e7cb3859636ec980c76832
Author:     Lexi Winter <ivy@FreeBSD.org>
AuthorDate: 2025-11-04 00:53:25 +0000
Commit:     Lexi Winter <ivy@FreeBSD.org>
CommitDate: 2025-11-04 00:53:25 +0000

    ifconfig: Fix invalid free() in ifbridge
    
    parse_vlans() does 's = strdup(str)', then calls strsep(&s, ...), then
    attempts to free(s) at the end of the function.  For the success case,
    this is fine (s is NULL, so it's a trivial memory leak), but in the
    error case, we will attempt to free an invalid pointer.
    
    Fix this by storing the original return value from strdup() and freeing
    that instead.
    
    MFC after:      3 seconds
    Reported by:    David Gwynne <dlg@openbsd.org>
    Reviewed by:    zlei, kevans
    Sponsored by:   https://www.patreon.com/bsdivy
    Differential Revision:  https://reviews.freebsd.org/D53545
---
 sbin/ifconfig/ifbridge.c | 8 +++++---
 1 file changed, 5 insertions(+), 3 deletions(-)

diff --git a/sbin/ifconfig/ifbridge.c b/sbin/ifconfig/ifbridge.c
index eff443447c13..8bcf4a638adf 100644
--- a/sbin/ifconfig/ifbridge.c
+++ b/sbin/ifconfig/ifbridge.c
@@ -811,7 +811,7 @@ unsetbridge_private(if_ctx *ctx, const char *val, int dummy __unused)
 static int
 parse_vlans(ifbvlan_set_t *set, const char *str)
 {
-	char *s, *token;
+	char *s, *free_s, *token;
 
 	/* "none" means the empty vlan set */
 	if (strcmp(str, "none") == 0) {
@@ -829,6 +829,8 @@ parse_vlans(ifbvlan_set_t *set, const char *str)
 
 	if ((s = strdup(str)) == NULL)
 		return (-1);
+	/* Keep the original value of s, since strsep() will modify it */
+	free_s = s;
 
 	while ((token = strsep(&s, ",")) != NULL) {
 		unsigned long first, last;
@@ -856,11 +858,11 @@ parse_vlans(ifbvlan_set_t *set, const char *str)
 			BRVLAN_SET(set, vlan);
 	}
 
-	free(s);
+	free(free_s);
 	return (0);
 
 err:
-	free(s);
+	free(free_s);
 	return (-1);
 }