From nobody Tue Nov 04 01:22:04 2025 X-Original-To: dev-commits-src-branches@mlmmj.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mlmmj.nyi.freebsd.org (Postfix) with ESMTP id 4d0rK90myfz6G9js; Tue, 04 Nov 2025 01:22:05 +0000 (UTC) (envelope-from git@FreeBSD.org) Received: from mxrelay.nyi.freebsd.org (mxrelay.nyi.freebsd.org [IPv6:2610:1c1:1:606c::19:3]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256 client-signature RSA-PSS (4096 bits) client-digest SHA256) (Client CN "mxrelay.nyi.freebsd.org", Issuer "R12" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 4d0rK84YkWz41B4; Tue, 04 Nov 2025 01:22:04 +0000 (UTC) (envelope-from git@FreeBSD.org) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org; s=dkim; t=1762219324; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding; bh=St6c4GQPdOgq0WbW5qK/zKMbaEe95BW2GPUoN7X3iWk=; b=I5SsJtYPP6qoierojhfbUacJQGIRAiPA1dsnlyFnFjeXgwkdA4FWvq0ANm0e7GBWEW0GeK WwHjYIfGTT9yw82Z30oXA2ZfVNdGmULUOGa/HKPVgSa2dEzeCff3G1BWMXfqpYCT5Q0GY4 broi1KS25KZZSoc9yO6TUVfpK3gaLerUrGIsCDAyElZJHr4itDVtQbcbLZReOk1Z7dTlrv bPSDr3ci/ptmNwrRxDFRXffaPA5frk3QU69EvLba24VCM4RSjEbmuPQEvd8/U1AxsJZDSK V473+7MjxMJSAXEMsuDnZsJsFYUYwO+AjDeEQekLSISQAJEbnR4ehZ99l/vLoQ== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org; s=dkim; t=1762219324; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding; bh=St6c4GQPdOgq0WbW5qK/zKMbaEe95BW2GPUoN7X3iWk=; b=tptkG6SgnQWw2u1DK3GBz89JMKlBYRigV1p3BKdqE4WIJ+nUSH17OS2uOQfMnhq108eviF q4uCFEZCKU0D8njcr93CNHdWrv5WiAxxBPKRP8HrMNS2OJj9oi4ADMyF2gC5CU2tv8vzUf wbrMe9ByTfyWokrizHr2Qz+vrSDoswwpi8VhiC1KLpWJkdt6dl4FsNK9ixmc2/wIc2nZ9y 2VGLxYbrjcNEavEE/RRLS+KI8x81nyakwuLoCH7xf4R2ZAmOh98QDOxn/Pt6yr8deKwH0z CHNgj4VWNT4Fong0XRMJzBtrl2xHw/L87eh1s+9DlAQPWoLJLNa0PmxtfPbf8w== ARC-Seal: i=1; s=dkim; d=freebsd.org; t=1762219324; a=rsa-sha256; cv=none; b=trcv6x8rAOxSTFvvuocnw8CRHu3GW0CpihEkicQ+7diCrImRqw5cmLoUP9mQFhLwt8piqz 0VdK3bidSlCxTWHwymzgcxHpUW2ZwEs59yctQcvCKB7mdGnn2dqhDBbw5lbTsDKIlsjwQW eUEm6bvA296ekWwQBp2/hjUKple6ijX7VFeJ0cFZaGpB7dcAO0ab5+ze9xn1zIHCmDDjf0 V5wRIyvalusRCUfxVDTiKb1un9uTXZNpVVuVHv+g8vx/2uwx2nUvSPoi1TR3uMjlr8rMwO 5dwmIwCtpnjk9YTuo6CMK7dIiWB/XxvH9Z+J9pCDz12+IAzicZTGDwLeaJqx/A== ARC-Authentication-Results: i=1; mx1.freebsd.org; none Received: from gitrepo.freebsd.org (gitrepo.freebsd.org [IPv6:2610:1c1:1:6068::e6a:5]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256) (Client did not present a certificate) by mxrelay.nyi.freebsd.org (Postfix) with ESMTPS id 4d0rK83wxrzc0k; Tue, 04 Nov 2025 01:22:04 +0000 (UTC) (envelope-from git@FreeBSD.org) Received: from gitrepo.freebsd.org ([127.0.1.44]) by gitrepo.freebsd.org (8.18.1/8.18.1) with ESMTP id 5A41M4xr011644; Tue, 4 Nov 2025 01:22:04 GMT (envelope-from git@gitrepo.freebsd.org) Received: (from git@localhost) by gitrepo.freebsd.org (8.18.1/8.18.1/Submit) id 5A41M4ti011641; Tue, 4 Nov 2025 01:22:04 GMT (envelope-from git) Date: Tue, 4 Nov 2025 01:22:04 GMT Message-Id: <202511040122.5A41M4ti011641@gitrepo.freebsd.org> To: src-committers@FreeBSD.org, dev-commits-src-all@FreeBSD.org, dev-commits-src-branches@FreeBSD.org From: Lexi Winter Subject: git: fe2e53443377 - stable/15 - ifconfig: Fix invalid free() in ifbridge List-Id: Commits to the stable branches of the FreeBSD src repository List-Archive: https://lists.freebsd.org/archives/dev-commits-src-branches List-Help: List-Post: List-Subscribe: List-Unsubscribe: X-BeenThere: dev-commits-src-branches@freebsd.org Sender: owner-dev-commits-src-branches@FreeBSD.org MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: 8bit X-Git-Committer: ivy X-Git-Repository: src X-Git-Refname: refs/heads/stable/15 X-Git-Reftype: branch X-Git-Commit: fe2e534433778c038138510ff6a8f07066e72703 Auto-Submitted: auto-generated The branch stable/15 has been updated by ivy: URL: https://cgit.FreeBSD.org/src/commit/?id=fe2e534433778c038138510ff6a8f07066e72703 commit fe2e534433778c038138510ff6a8f07066e72703 Author: Lexi Winter AuthorDate: 2025-11-04 00:53:25 +0000 Commit: Lexi Winter CommitDate: 2025-11-04 01:12:30 +0000 ifconfig: Fix invalid free() in ifbridge parse_vlans() does 's = strdup(str)', then calls strsep(&s, ...), then attempts to free(s) at the end of the function. For the success case, this is fine (s is NULL, so it's a trivial memory leak), but in the error case, we will attempt to free an invalid pointer. Fix this by storing the original return value from strdup() and freeing that instead. MFC after: 3 seconds Reported by: David Gwynne Reviewed by: zlei, kevans Sponsored by: https://www.patreon.com/bsdivy Differential Revision: https://reviews.freebsd.org/D53545 (cherry picked from commit 0899f7a3b791ed4878e7cb3859636ec980c76832) --- sbin/ifconfig/ifbridge.c | 8 +++++--- 1 file changed, 5 insertions(+), 3 deletions(-) diff --git a/sbin/ifconfig/ifbridge.c b/sbin/ifconfig/ifbridge.c index eff443447c13..8bcf4a638adf 100644 --- a/sbin/ifconfig/ifbridge.c +++ b/sbin/ifconfig/ifbridge.c @@ -811,7 +811,7 @@ unsetbridge_private(if_ctx *ctx, const char *val, int dummy __unused) static int parse_vlans(ifbvlan_set_t *set, const char *str) { - char *s, *token; + char *s, *free_s, *token; /* "none" means the empty vlan set */ if (strcmp(str, "none") == 0) { @@ -829,6 +829,8 @@ parse_vlans(ifbvlan_set_t *set, const char *str) if ((s = strdup(str)) == NULL) return (-1); + /* Keep the original value of s, since strsep() will modify it */ + free_s = s; while ((token = strsep(&s, ",")) != NULL) { unsigned long first, last; @@ -856,11 +858,11 @@ parse_vlans(ifbvlan_set_t *set, const char *str) BRVLAN_SET(set, vlan); } - free(s); + free(free_s); return (0); err: - free(s); + free(free_s); return (-1); }