git: 329c9b9da592 - stable/12 - pf: fix more syncookie memory leaks
- Go to: [ bottom of page ] [ top of archives ] [ this month ]
Date: Mon, 06 Jun 2022 11:45:53 UTC
The branch stable/12 has been updated by kp:
URL: https://cgit.FreeBSD.org/src/commit/?id=329c9b9da5928e0a2de0014c4f6a254ceae299ec
commit 329c9b9da5928e0a2de0014c4f6a254ceae299ec
Author: Franco Fichtner <franco@opnsense.org>
AuthorDate: 2022-06-02 16:27:43 +0000
Commit: Kristof Provost <kp@FreeBSD.org>
CommitDate: 2022-06-06 07:02:13 +0000
pf: fix more syncookie memory leaks
Allocate memory for packed nvlists in M_NVLIST, as nvlist_pack() does
this as well, and we use the same variable interchangable with the
memory we allocate. When we free it we can end up freeing from the wrong
zone, leaking memory.
Reviewed by: kp
Differential Revision: https://reviews.freebsd.org/D35385
(cherry picked from commit a37e0e6de6527a7eaddea8e28f5e4b3427fba1a4)
---
sys/netpfil/pf/pf_ioctl.c | 10 +++++-----
sys/netpfil/pf/pf_syncookies.c | 6 +++---
2 files changed, 8 insertions(+), 8 deletions(-)
diff --git a/sys/netpfil/pf/pf_ioctl.c b/sys/netpfil/pf/pf_ioctl.c
index e2b5d0704f16..9cbe1859cd6b 100644
--- a/sys/netpfil/pf/pf_ioctl.c
+++ b/sys/netpfil/pf/pf_ioctl.c
@@ -2323,7 +2323,7 @@ pfioctl(struct cdev *dev, u_long cmd, caddr_t addr, int flags, struct thread *td
if (nv->len > pf_ioctl_maxcount)
ERROUT(ENOMEM);
- nvlpacked = malloc(nv->len, M_TEMP, M_WAITOK);
+ nvlpacked = malloc(nv->len, M_NVLIST, M_WAITOK);
error = copyin(nv->data, nvlpacked, nv->len);
if (error)
ERROUT(error);
@@ -2362,13 +2362,13 @@ pfioctl(struct cdev *dev, u_long cmd, caddr_t addr, int flags, struct thread *td
anchor_call, td);
nvlist_destroy(nvl);
- free(nvlpacked, M_TEMP);
+ free(nvlpacked, M_NVLIST);
break;
#undef ERROUT
DIOCADDRULENV_error:
pf_krule_free(rule);
nvlist_destroy(nvl);
- free(nvlpacked, M_TEMP);
+ free(nvlpacked, M_NVLIST);
break;
}
@@ -5178,7 +5178,7 @@ pf_keepcounters(struct pfioc_nv *nv)
if (nv->len > pf_ioctl_maxcount)
ERROUT(ENOMEM);
- nvlpacked = malloc(nv->len, M_TEMP, M_WAITOK);
+ nvlpacked = malloc(nv->len, M_NVLIST, M_WAITOK);
if (nvlpacked == NULL)
ERROUT(ENOMEM);
@@ -5197,7 +5197,7 @@ pf_keepcounters(struct pfioc_nv *nv)
on_error:
nvlist_destroy(nvl);
- free(nvlpacked, M_TEMP);
+ free(nvlpacked, M_NVLIST);
return (error);
}
diff --git a/sys/netpfil/pf/pf_syncookies.c b/sys/netpfil/pf/pf_syncookies.c
index a3cc6650bbce..de0f27926a41 100644
--- a/sys/netpfil/pf/pf_syncookies.c
+++ b/sys/netpfil/pf/pf_syncookies.c
@@ -171,7 +171,7 @@ pf_get_syncookies(struct pfioc_nv *nv)
#undef ERROUT
errout:
nvlist_destroy(nvl);
- free(nvlpacked, M_TEMP);
+ free(nvlpacked, M_NVLIST);
return (error);
}
@@ -191,7 +191,7 @@ pf_set_syncookies(struct pfioc_nv *nv)
if (nv->len > pf_ioctl_maxcount)
return (ENOMEM);
- nvlpacked = malloc(nv->len, M_TEMP, M_WAITOK);
+ nvlpacked = malloc(nv->len, M_NVLIST, M_WAITOK);
if (nvlpacked == NULL)
return (ENOMEM);
@@ -232,7 +232,7 @@ pf_set_syncookies(struct pfioc_nv *nv)
#undef ERROUT
errout:
nvlist_destroy(nvl);
- free(nvlpacked, M_TEMP);
+ free(nvlpacked, M_NVLIST);
return (error);
}