From nobody Mon Jun 06 11:45:53 2022
X-Original-To: dev-commits-src-branches@mlmmj.nyi.freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1])
	by mlmmj.nyi.freebsd.org (Postfix) with ESMTP id 62AFF1BDDB0C;
	Mon,  6 Jun 2022 11:45:56 +0000 (UTC)
	(envelope-from git@FreeBSD.org)
Received: from mxrelay.nyi.freebsd.org (mxrelay.nyi.freebsd.org [IPv6:2610:1c1:1:606c::19:3])
	(using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
	 key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256
	 client-signature RSA-PSS (4096 bits) client-digest SHA256)
	(Client CN "mxrelay.nyi.freebsd.org", Issuer "R3" (verified OK))
	by mx1.freebsd.org (Postfix) with ESMTPS id 4LGsBV3c95z3CZF;
	Mon,  6 Jun 2022 11:45:54 +0000 (UTC)
	(envelope-from git@FreeBSD.org)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org; s=dkim;
	t=1654515954;
	h=from:from:reply-to:subject:subject:date:date:message-id:message-id:
	 to:to:cc:mime-version:mime-version:content-type:content-type:
	 content-transfer-encoding:content-transfer-encoding;
	bh=uh2N3S+n7/uAiWkyDC7kzP0FpYqRMz/YGLWN53SRRvA=;
	b=hxPevcNbOSm2rtww0bYjpx7Uy+BlbSfxeca5AaylCaIGQaODR2DJfA3WMiaWe2oDIP/Rv8
	sms6DM53kXUuO/DOZYD8uGfOqgyKxNFrgsVIx+HPTXTPxualXQzPI08AWEWJrCyQgTbQ7Z
	9l870SqISBPQaF+5Z1JznPWmyyTqbaT+ZDK+e80lz+InU10Z0GfFq8AsBd9QZ9X4V4ruHa
	Lilh0IpC0cn+9HswygJ9plJQGksarjJm2PDHPTy7Qz8l4jM34YU+xFvlfMxsvtfWutCfYt
	IF+uNBDr1DWENFtHCzR/bE4lbsU8xqwqsEO94JwepCocOKGwbZNM2mZTndLbjg==
Received: from gitrepo.freebsd.org (gitrepo.freebsd.org [IPv6:2610:1c1:1:6068::e6a:5])
	(using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
	 key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256)
	(Client did not present a certificate)
	by mxrelay.nyi.freebsd.org (Postfix) with ESMTPS id 082B425653;
	Mon,  6 Jun 2022 11:45:54 +0000 (UTC)
	(envelope-from git@FreeBSD.org)
Received: from gitrepo.freebsd.org ([127.0.1.44])
	by gitrepo.freebsd.org (8.16.1/8.16.1) with ESMTP id 256Bjrgh053969;
	Mon, 6 Jun 2022 11:45:53 GMT
	(envelope-from git@gitrepo.freebsd.org)
Received: (from git@localhost)
	by gitrepo.freebsd.org (8.16.1/8.16.1/Submit) id 256BjrSD053968;
	Mon, 6 Jun 2022 11:45:53 GMT
	(envelope-from git)
Date: Mon, 6 Jun 2022 11:45:53 GMT
Message-Id: <202206061145.256BjrSD053968@gitrepo.freebsd.org>
To: src-committers@FreeBSD.org, dev-commits-src-all@FreeBSD.org,
        dev-commits-src-branches@FreeBSD.org
From: Kristof Provost <kp@FreeBSD.org>
Subject: git: 329c9b9da592 - stable/12 - pf: fix more syncookie memory leaks
List-Id: Commits to the stable branches of the FreeBSD src repository <dev-commits-src-branches.freebsd.org>
List-Archive: https://lists.freebsd.org/archives/dev-commits-src-branches
List-Help: <mailto:dev-commits-src-branches+help@freebsd.org>
List-Post: <mailto:dev-commits-src-branches@freebsd.org>
List-Subscribe: <mailto:dev-commits-src-branches+subscribe@freebsd.org>
List-Unsubscribe: <mailto:dev-commits-src-branches+unsubscribe@freebsd.org>
Sender: owner-dev-commits-src-branches@freebsd.org
X-BeenThere: dev-commits-src-branches@freebsd.org
MIME-Version: 1.0
Content-Type: text/plain; charset=utf-8
Content-Transfer-Encoding: 8bit
X-Git-Committer: kp
X-Git-Repository: src
X-Git-Refname: refs/heads/stable/12
X-Git-Reftype: branch
X-Git-Commit: 329c9b9da5928e0a2de0014c4f6a254ceae299ec
Auto-Submitted: auto-generated
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org;
	s=dkim; t=1654515954;
	h=from:from:reply-to:subject:subject:date:date:message-id:message-id:
	 to:to:cc:mime-version:mime-version:content-type:content-type:
	 content-transfer-encoding:content-transfer-encoding;
	bh=uh2N3S+n7/uAiWkyDC7kzP0FpYqRMz/YGLWN53SRRvA=;
	b=Y9VVUqp+aXedzha7PHifORApXWnh3s5QssyIyzsoDzsoIZbYvtKyrhzRqip3mRbFJXpfOM
	YQFma/dx97B1WnrVK6BXbBOxwS1UTEnXBX3777ut5fg0o5C0JDvB0ERSAGjT9EgUmd3wxJ
	8uSEUEE+zTu9yiporpK8vulkSKbu15i5/ZAfNP7MGj/yJ7yuKysUx5tUbQKbq6zIXOL6rm
	1yjbkCXP2ZI/hwz5CtzMy+MParlicehAiRC98T4XvjrBtNAMF0O0XTj9haC5Nc2tU+T/YD
	FE51m2ZqesdUzxt2EJRtZrI1dZv8WBfaHAUST0w7bpjoEX7cPCF6vl9sS6x9rQ==
ARC-Seal: i=1; s=dkim; d=freebsd.org; t=1654515954; a=rsa-sha256; cv=none;
	b=frH+D46U8iVmTgvLsQpenzz5A2NvLFr2jZpDWn/KYYFzUjIgMblULDRw1JXYPaBiu0Q9vP
	UZMizAiCI8KCks3/RX0ge1mXFoBGLny3CIyg7udAsoIIUr2utZYho5F2MyYA1OVVVxv7F5
	UoWQ5sU3LAPfEOR8u4DHIek/t1YPIrLInGvHxOpaQFSuRoXsBjg7g/ZyqHxEeK3N8xjBNi
	jU45AHJ2sEJig1z4Y1RpxSK5sMQZEThydzdMcvBujB0epi9J4AMjcxi47VqGqYg1K+95gf
	xMfVvTyhucamOe/4INIbDOC/SMMpxcQxHyoz1OhjLQTKjvHLaeh0Ck7bJ1Dfug==
ARC-Authentication-Results: i=1;
	mx1.freebsd.org;
	none
X-ThisMailContainsUnwantedMimeParts: N

The branch stable/12 has been updated by kp:

URL: https://cgit.FreeBSD.org/src/commit/?id=329c9b9da5928e0a2de0014c4f6a254ceae299ec

commit 329c9b9da5928e0a2de0014c4f6a254ceae299ec
Author:     Franco Fichtner <franco@opnsense.org>
AuthorDate: 2022-06-02 16:27:43 +0000
Commit:     Kristof Provost <kp@FreeBSD.org>
CommitDate: 2022-06-06 07:02:13 +0000

    pf: fix more syncookie memory leaks
    
    Allocate memory for packed nvlists in M_NVLIST, as nvlist_pack() does
    this as well, and we use the same variable interchangable with the
    memory we allocate. When we free it we can end up freeing from the wrong
    zone, leaking memory.
    
    Reviewed by:    kp
    Differential Revision:  https://reviews.freebsd.org/D35385
    
    (cherry picked from commit a37e0e6de6527a7eaddea8e28f5e4b3427fba1a4)
---
 sys/netpfil/pf/pf_ioctl.c      | 10 +++++-----
 sys/netpfil/pf/pf_syncookies.c |  6 +++---
 2 files changed, 8 insertions(+), 8 deletions(-)

diff --git a/sys/netpfil/pf/pf_ioctl.c b/sys/netpfil/pf/pf_ioctl.c
index e2b5d0704f16..9cbe1859cd6b 100644
--- a/sys/netpfil/pf/pf_ioctl.c
+++ b/sys/netpfil/pf/pf_ioctl.c
@@ -2323,7 +2323,7 @@ pfioctl(struct cdev *dev, u_long cmd, caddr_t addr, int flags, struct thread *td
 		if (nv->len > pf_ioctl_maxcount)
 			ERROUT(ENOMEM);
 
-		nvlpacked = malloc(nv->len, M_TEMP, M_WAITOK);
+		nvlpacked = malloc(nv->len, M_NVLIST, M_WAITOK);
 		error = copyin(nv->data, nvlpacked, nv->len);
 		if (error)
 			ERROUT(error);
@@ -2362,13 +2362,13 @@ pfioctl(struct cdev *dev, u_long cmd, caddr_t addr, int flags, struct thread *td
 		    anchor_call, td);
 
 		nvlist_destroy(nvl);
-		free(nvlpacked, M_TEMP);
+		free(nvlpacked, M_NVLIST);
 		break;
 #undef ERROUT
 DIOCADDRULENV_error:
 		pf_krule_free(rule);
 		nvlist_destroy(nvl);
-		free(nvlpacked, M_TEMP);
+		free(nvlpacked, M_NVLIST);
 
 		break;
 	}
@@ -5178,7 +5178,7 @@ pf_keepcounters(struct pfioc_nv *nv)
 	if (nv->len > pf_ioctl_maxcount)
 		ERROUT(ENOMEM);
 
-	nvlpacked = malloc(nv->len, M_TEMP, M_WAITOK);
+	nvlpacked = malloc(nv->len, M_NVLIST, M_WAITOK);
 	if (nvlpacked == NULL)
 		ERROUT(ENOMEM);
 
@@ -5197,7 +5197,7 @@ pf_keepcounters(struct pfioc_nv *nv)
 
 on_error:
 	nvlist_destroy(nvl);
-	free(nvlpacked, M_TEMP);
+	free(nvlpacked, M_NVLIST);
 	return (error);
 }
 
diff --git a/sys/netpfil/pf/pf_syncookies.c b/sys/netpfil/pf/pf_syncookies.c
index a3cc6650bbce..de0f27926a41 100644
--- a/sys/netpfil/pf/pf_syncookies.c
+++ b/sys/netpfil/pf/pf_syncookies.c
@@ -171,7 +171,7 @@ pf_get_syncookies(struct pfioc_nv *nv)
 #undef ERROUT
 errout:
 	nvlist_destroy(nvl);
-	free(nvlpacked, M_TEMP);
+	free(nvlpacked, M_NVLIST);
 
 	return (error);
 }
@@ -191,7 +191,7 @@ pf_set_syncookies(struct pfioc_nv *nv)
 	if (nv->len > pf_ioctl_maxcount)
 		return (ENOMEM);
 
-	nvlpacked = malloc(nv->len, M_TEMP, M_WAITOK);
+	nvlpacked = malloc(nv->len, M_NVLIST, M_WAITOK);
 	if (nvlpacked == NULL)
 		return (ENOMEM);
 
@@ -232,7 +232,7 @@ pf_set_syncookies(struct pfioc_nv *nv)
 #undef ERROUT
 errout:
 	nvlist_destroy(nvl);
-	free(nvlpacked, M_TEMP);
+	free(nvlpacked, M_NVLIST);
 
 	return (error);
 }