From nobody Wed Nov 05 19:37:24 2025
X-Original-To: dev-commits-src-branches@mlmmj.nyi.freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1])
	by mlmmj.nyi.freebsd.org (Postfix) with ESMTP id 4d1wZY1kW6z651Z9;
	Wed, 05 Nov 2025 19:37:25 +0000 (UTC)
	(envelope-from git@FreeBSD.org)
Received: from mxrelay.nyi.freebsd.org (mxrelay.nyi.freebsd.org [IPv6:2610:1c1:1:606c::19:3])
	(using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
	 key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256
	 client-signature RSA-PSS (4096 bits) client-digest SHA256)
	(Client CN "mxrelay.nyi.freebsd.org", Issuer "R12" (verified OK))
	by mx1.freebsd.org (Postfix) with ESMTPS id 4d1wZY0b5tz3s7t;
	Wed, 05 Nov 2025 19:37:25 +0000 (UTC)
	(envelope-from git@FreeBSD.org)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org; s=dkim;
	t=1762371445;
	h=from:from:reply-to:subject:subject:date:date:message-id:message-id:
	 to:to:cc:mime-version:mime-version:content-type:content-type:
	 content-transfer-encoding:content-transfer-encoding;
	bh=4Ru9Xz24eyQoWwneOK4rdTXX259PhWomUTx8RXPBbKU=;
	b=IclshHWvJOFDEfy062J3uWErxdkNhHUxQVODYoUPKhcQX98SdRbI8ssz66BD5j9cSrhCqO
	BoyrdjI+Rfi7Zh1g9jHIn8ScMJI1QgMzchL2Cet1P/fO/Anf25AFRC01n0ldOVt71tcXFa
	cQYnOSUqTNIPb/RpFEshRmigF3zNZff2j1Xpoclfk93FrgvENor5qOTJicPJ1VyV1b1Pfs
	y0FOnlb2+GSM+8p4a8hvovcWHZvoIrpT0qLeREXeN76LwpWJouQLCUMObtJJFwf4H+/Ofq
	IUIWPqk80mpToHqWH5fHQT0kjoAcVyfga/PxRiZCBylb+dR0mgraSz46JzWltA==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org;
	s=dkim; t=1762371445;
	h=from:from:reply-to:subject:subject:date:date:message-id:message-id:
	 to:to:cc:mime-version:mime-version:content-type:content-type:
	 content-transfer-encoding:content-transfer-encoding;
	bh=4Ru9Xz24eyQoWwneOK4rdTXX259PhWomUTx8RXPBbKU=;
	b=YnfS6Gg6Ya9F8JB62be8exPLWWMKoJwPMUBU9Aah4ZaO9Qz7rZ8Q4nP2G/pu2/9Eom4QtS
	S+xJWygYBBQtzs1/sb21dQMOkPly4PIsnD0dw4Coyr67ExFq3fS9lt+AeRf+twqKOfMGE3
	BIHWCnpP515zJ+CV8A4k1dmVBJCCifavVbN4WzpS2IfcDXDmsvjry116a5LvgZJSur7zY6
	sCpqFxJJKUg5fs6PHe9aQjrogiVhIIChMHcbmVLcTRIvLlnwnvSsTxvpTUf7i7INT2IEFi
	WZEcEF1t4xKf6l8A3Em1asMCMlCShA39EKver3NMmjp8SAD9sket7eQTLsl3fQ==
ARC-Seal: i=1; s=dkim; d=freebsd.org; t=1762371445; a=rsa-sha256; cv=none;
	b=JtiW4mLR0sXIDHynN1xV5yzXtN5e574V4/a1KOV9IPjEqVeGcvIOvmGcVMOtvEUJvLh8vX
	3VA4stHsiFob5PL0Dbqa/VbohpwYVA+zXzZFZn5ngEFz3k+uIRCHRz1XKkyMbVO5gvzPve
	Jk9CP/RgYDc3wNQ5G0cBsuaSAx+XGp1OcuhtOAdjPAdcAU4cwfqB8MbmBTG8afnYkJimlJ
	HIT1nKH0rcLCCtYMPVLCqsNwlQCzWClPkWgsPTOKy5c0Ck91Vz7ViTpHIlU923Zy5Udh8O
	PYe7B7tFDTOjgm8nRYw82Z5kCErFi3GkdsBi8JMcnc/GvaaFqCd0bpXox6eh4A==
ARC-Authentication-Results: i=1;
	mx1.freebsd.org;
	none
Received: from gitrepo.freebsd.org (gitrepo.freebsd.org [IPv6:2610:1c1:1:6068::e6a:5])
	(using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
	 key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256)
	(Client did not present a certificate)
	by mxrelay.nyi.freebsd.org (Postfix) with ESMTPS id 4d1wZX71jFzwng;
	Wed, 05 Nov 2025 19:37:24 +0000 (UTC)
	(envelope-from git@FreeBSD.org)
Received: from gitrepo.freebsd.org ([127.0.1.44])
	by gitrepo.freebsd.org (8.18.1/8.18.1) with ESMTP id 5A5JbO8D086107;
	Wed, 5 Nov 2025 19:37:24 GMT
	(envelope-from git@gitrepo.freebsd.org)
Received: (from git@localhost)
	by gitrepo.freebsd.org (8.18.1/8.18.1/Submit) id 5A5JbOLA086104;
	Wed, 5 Nov 2025 19:37:24 GMT
	(envelope-from git)
Date: Wed, 5 Nov 2025 19:37:24 GMT
Message-Id: <202511051937.5A5JbOLA086104@gitrepo.freebsd.org>
To: src-committers@FreeBSD.org, dev-commits-src-all@FreeBSD.org,
        dev-commits-src-branches@FreeBSD.org
From: Colin Percival <cperciva@FreeBSD.org>
Subject: git: 88c5a4996b90 - releng/15.0 - ifconfig: Fix invalid
  free() in ifbridge
List-Id: Commits to the stable branches of the FreeBSD src repository <dev-commits-src-branches.freebsd.org>
List-Archive: https://lists.freebsd.org/archives/dev-commits-src-branches
List-Help: <mailto:dev-commits-src-branches+help@freebsd.org>
List-Post: <mailto:dev-commits-src-branches@freebsd.org>
List-Subscribe: <mailto:dev-commits-src-branches+subscribe@freebsd.org>
List-Unsubscribe: <mailto:dev-commits-src-branches+unsubscribe@freebsd.org>
X-BeenThere: dev-commits-src-branches@freebsd.org
Sender: owner-dev-commits-src-branches@FreeBSD.org
MIME-Version: 1.0
Content-Type: text/plain; charset=utf-8
Content-Transfer-Encoding: 8bit
X-Git-Committer: cperciva
X-Git-Repository: src
X-Git-Refname: refs/heads/releng/15.0
X-Git-Reftype: branch
X-Git-Commit: 88c5a4996b90fb70e5990169170a4e93d19aff23
Auto-Submitted: auto-generated

The branch releng/15.0 has been updated by cperciva:

URL: https://cgit.FreeBSD.org/src/commit/?id=88c5a4996b90fb70e5990169170a4e93d19aff23

commit 88c5a4996b90fb70e5990169170a4e93d19aff23
Author:     Lexi Winter <ivy@FreeBSD.org>
AuthorDate: 2025-11-04 00:53:25 +0000
Commit:     Colin Percival <cperciva@FreeBSD.org>
CommitDate: 2025-11-05 19:36:12 +0000

    ifconfig: Fix invalid free() in ifbridge
    
    parse_vlans() does 's = strdup(str)', then calls strsep(&s, ...), then
    attempts to free(s) at the end of the function.  For the success case,
    this is fine (s is NULL, so it's a trivial memory leak), but in the
    error case, we will attempt to free an invalid pointer.
    
    Fix this by storing the original return value from strdup() and freeing
    that instead.
    
    Approved by:    re (cperciva)
    MFC after:      3 seconds
    Reported by:    David Gwynne <dlg@openbsd.org>
    Reviewed by:    zlei, kevans
    Sponsored by:   https://www.patreon.com/bsdivy
    Differential Revision:  https://reviews.freebsd.org/D53545
    
    (cherry picked from commit 0899f7a3b791ed4878e7cb3859636ec980c76832)
    (cherry picked from commit fe2e534433778c038138510ff6a8f07066e72703)
---
 sbin/ifconfig/ifbridge.c | 8 +++++---
 1 file changed, 5 insertions(+), 3 deletions(-)

diff --git a/sbin/ifconfig/ifbridge.c b/sbin/ifconfig/ifbridge.c
index eff443447c13..8bcf4a638adf 100644
--- a/sbin/ifconfig/ifbridge.c
+++ b/sbin/ifconfig/ifbridge.c
@@ -811,7 +811,7 @@ unsetbridge_private(if_ctx *ctx, const char *val, int dummy __unused)
 static int
 parse_vlans(ifbvlan_set_t *set, const char *str)
 {
-	char *s, *token;
+	char *s, *free_s, *token;
 
 	/* "none" means the empty vlan set */
 	if (strcmp(str, "none") == 0) {
@@ -829,6 +829,8 @@ parse_vlans(ifbvlan_set_t *set, const char *str)
 
 	if ((s = strdup(str)) == NULL)
 		return (-1);
+	/* Keep the original value of s, since strsep() will modify it */
+	free_s = s;
 
 	while ((token = strsep(&s, ",")) != NULL) {
 		unsigned long first, last;
@@ -856,11 +858,11 @@ parse_vlans(ifbvlan_set_t *set, const char *str)
 			BRVLAN_SET(set, vlan);
 	}
 
-	free(s);
+	free(free_s);
 	return (0);
 
 err:
-	free(s);
+	free(free_s);
 	return (-1);
 }