git: 08c0976fdce9 - stable/13 - Merge commit '93bf91b4012a28610672d2266366dfa0a663b70f' into HEAD

From: Kyle Evans <kevans_at_FreeBSD.org>
Date: Sun, 13 Nov 2022 05:38:04 UTC
The branch stable/13 has been updated by kevans:

URL: https://cgit.FreeBSD.org/src/commit/?id=08c0976fdce9f0fadb816c3506b5ed1b4dfc0ed1

commit 08c0976fdce9f0fadb816c3506b5ed1b4dfc0ed1
Author:     Kyle Evans <kevans@FreeBSD.org>
AuthorDate: 2022-11-05 03:46:21 +0000
Commit:     Kyle Evans <kevans@FreeBSD.org>
CommitDate: 2022-11-13 05:37:05 +0000

    Merge commit '93bf91b4012a28610672d2266366dfa0a663b70f' into HEAD
    
    This fixes a warning in wireguard-tools, as well as two issues pointed out by
    FreeBSD's Coverity instance.
    
    CID:            1500405, 1500421
    (cherry picked from commit 2cb43631ab122ee0b2a3a101003b73415a9bf963)
---
 contrib/wireguard-tools/.gitignore    |  5 +++++
 contrib/wireguard-tools/ipc-freebsd.h | 22 ++++++++++++++++------
 contrib/wireguard-tools/show.c        |  2 +-
 3 files changed, 22 insertions(+), 7 deletions(-)

diff --git a/contrib/wireguard-tools/.gitignore b/contrib/wireguard-tools/.gitignore
index 4343ea95a0a2..12b1f78af874 100644
--- a/contrib/wireguard-tools/.gitignore
+++ b/contrib/wireguard-tools/.gitignore
@@ -14,3 +14,8 @@ ipc-linux.h
 ipc-openbsd.h
 man/wg-quick.8
 systemd/
+
+# Build artifacts
+wg
+*.d
+*.o
diff --git a/contrib/wireguard-tools/ipc-freebsd.h b/contrib/wireguard-tools/ipc-freebsd.h
index b5be15b82140..fa74edda5a3d 100644
--- a/contrib/wireguard-tools/ipc-freebsd.h
+++ b/contrib/wireguard-tools/ipc-freebsd.h
@@ -4,6 +4,7 @@
  *
  */
 
+#include <assert.h>
 #include <sys/nv.h>
 #include <sys/sockio.h>
 #include <dev/wg/if_wg.h>
@@ -118,7 +119,7 @@ static int kernel_get_device(struct wgdevice **device, const char *ifname)
 		goto skip_peers;
 	for (i = 0; i < peer_count; ++i) {
 		struct wgpeer *peer;
-		struct wgallowedip *aip;
+		struct wgallowedip *aip = NULL;
 		const nvlist_t *const *nvl_aips;
 		size_t aip_count, j;
 
@@ -169,11 +170,13 @@ static int kernel_get_device(struct wgdevice **device, const char *ifname)
 		if (!aip_count || !nvl_aips)
 			goto skip_allowed_ips;
 		for (j = 0; j < aip_count; ++j) {
+			if (!nvlist_exists_number(nvl_aips[j], "cidr"))
+				continue;
+			if (!nvlist_exists_binary(nvl_aips[j], "ipv4") && !nvlist_exists_binary(nvl_aips[j], "ipv6"))
+				continue;
 			aip = calloc(1, sizeof(*aip));
 			if (!aip)
 				goto err_allowed_ips;
-			if (!nvlist_exists_number(nvl_aips[j], "cidr"))
-				continue;
 			number = nvlist_get_number(nvl_aips[j], "cidr");
 			if (nvlist_exists_binary(nvl_aips[j], "ipv4")) {
 				binary = nvlist_get_binary(nvl_aips[j], "ipv4", &size);
@@ -184,7 +187,8 @@ static int kernel_get_device(struct wgdevice **device, const char *ifname)
 				aip->family = AF_INET;
 				aip->cidr = number;
 				memcpy(&aip->ip4, binary, sizeof(aip->ip4));
-			} else if (nvlist_exists_binary(nvl_aips[j], "ipv6")) {
+			} else {
+				assert(nvlist_exists_binary(nvl_aips[j], "ipv6"));
 				binary = nvlist_get_binary(nvl_aips[j], "ipv6", &size);
 				if (!binary || number > 128) {
 					ret = EINVAL;
@@ -193,14 +197,14 @@ static int kernel_get_device(struct wgdevice **device, const char *ifname)
 				aip->family = AF_INET6;
 				aip->cidr = number;
 				memcpy(&aip->ip6, binary, sizeof(aip->ip6));
-			} else
-				continue;
+			}
 
 			if (!peer->first_allowedip)
 				peer->first_allowedip = aip;
 			else
 				peer->last_allowedip->next_allowedip = aip;
 			peer->last_allowedip = aip;
+			aip = NULL;
 			continue;
 
 		err_allowed_ips:
@@ -209,6 +213,9 @@ static int kernel_get_device(struct wgdevice **device, const char *ifname)
 			free(aip);
 			goto err_peer;
 		}
+
+		/* Nothing leaked, hopefully -- ownership transferred or aip freed. */
+		assert(aip == NULL);
 	skip_allowed_ips:
 		if (!dev->first_peer)
 			dev->first_peer = peer;
@@ -322,6 +329,7 @@ static int kernel_set_device(struct wgdevice *dev)
 			nvlist_destroy(nvl_aips[j]);
 		free(nvl_aips);
 		nvlist_destroy(nvl_peers[i]);
+		nvl_peers[i] = NULL;
 		goto err;
 	}
 	if (i) {
@@ -329,9 +337,11 @@ static int kernel_set_device(struct wgdevice *dev)
 		for (i = 0; i < peer_count; ++i)
 			nvlist_destroy(nvl_peers[i]);
 		free(nvl_peers);
+		nvl_peers = NULL;
 	}
 	wgd.wgd_data = nvlist_pack(nvl_device, &wgd.wgd_size);
 	nvlist_destroy(nvl_device);
+	nvl_device = NULL;
 	if (!wgd.wgd_data)
 		goto err;
 	s = get_dgram_socket();
diff --git a/contrib/wireguard-tools/show.c b/contrib/wireguard-tools/show.c
index a61a06ef0646..3fd3d9e2a151 100644
--- a/contrib/wireguard-tools/show.c
+++ b/contrib/wireguard-tools/show.c
@@ -27,7 +27,7 @@
 static int peer_cmp(const void *first, const void *second)
 {
 	time_t diff;
-	const struct wgpeer *a = *(const void **)first, *b = *(const void **)second;
+	const struct wgpeer *a = *(void *const *)first, *b = *(void *const *)second;
 
 	if (!a->last_handshake_time.tv_sec && !a->last_handshake_time.tv_nsec && (b->last_handshake_time.tv_sec || b->last_handshake_time.tv_nsec))
 		return 1;