git: 06a67a1f05a7 - stable/13 - iscsid: Always free the duplicated address in resolve_addr().

From: John Baldwin <>
Date: Fri, 29 Apr 2022 23:12:22 UTC
The branch stable/13 has been updated by jhb:


commit 06a67a1f05a7f52fbae21acd03d0a39147fb1d71
Author:     John Baldwin <>
AuthorDate: 2021-12-29 00:40:04 +0000
Commit:     John Baldwin <>
CommitDate: 2022-04-29 21:17:30 +0000

    iscsid: Always free the duplicated address in resolve_addr().
    If a "raw" IPv6 address (denoted by a leading '[') is used as a target
    address, then 'arg' is incremented by one to skip over the '['.
    However, this meant that at the end of the function the wrong address
    was passed to free().  With malloc junking enabled and given suitably
    small strings, malloc() would happily overwrite the correct number of
    bytes with junk, but off by one byte overwriting the byte after the
    This manifested as the first byte of the 'HeaderDigest' key being
    overwritten causing the key name on the wire to be sent as
    '\x5eaderDigest' which the target rejected.
    Reported by:    Jithesh Arakkan @ Chelsio
    Found with:     ASAN (via WITH_ASAN=yes)
    Sponsored by:   Chelsio Communications
    (cherry picked from commit c74ab5ce6f259afe1720a326df7e77848cf4f00b)
 usr.sbin/iscsid/iscsid.c | 6 +++---
 1 file changed, 3 insertions(+), 3 deletions(-)

diff --git a/usr.sbin/iscsid/iscsid.c b/usr.sbin/iscsid/iscsid.c
index dc28a4f6f0cb..2689c4a2b455 100644
--- a/usr.sbin/iscsid/iscsid.c
+++ b/usr.sbin/iscsid/iscsid.c
@@ -150,11 +150,11 @@ resolve_addr(const struct connection *conn, const char *address,
     struct addrinfo **ai, bool initiator_side)
 	struct addrinfo hints;
-	char *arg, *addr, *ch;
+	char *arg, *addr, *ch, *tofree;
 	const char *port;
 	int error, colons = 0;
-	arg = checked_strdup(address);
+	tofree = arg = checked_strdup(address);
 	if (arg[0] == '\0') {
 		fail(conn, "empty address");
@@ -216,7 +216,7 @@ resolve_addr(const struct connection *conn, const char *address,
 		    address, gai_strerror(error));
-	free(addr);
+	free(tofree);
 static struct iscsid_connection *