The branch stable/14 has been updated by kp:
URL:
https://cgit.FreeBSD.org/src/commit/?id=9f5ab6bddfc0974b385f2a198878f739424fd040
commit 9f5ab6bddfc0974b385f2a198878f739424fd040
Author: Kristof Provost <k...@FreeBSD.org>
AuthorDate: 2023-10-23 11:43:52 +0000
Commit: Kristof Provost <k...@FreeBSD.org>
CommitDate: 2023-11-01 09:05:49 +0000
libpfctl: fix pfctl_do_ioctl()
pfctl_do_ioctl() copies the packed request data into the request buffer
and then frees it. However, it's possible for the buffer to be too small
for the reply, causing us to allocate a new buffer. We then copied from
the freed request, and freed it again.
Do not free the request buffer until we're all the way done.
PR: 274614
Reviewed by: emaste
MFC after: 1 week
Sponsored by: Rubicon Communications, LLC ("Netgate")
Differential Revision:
https://reviews.freebsd.org/D42329
(cherry picked from commit 2cffb52514b070e716e700c7f58fdb8cd9b05335)
---
lib/libpfctl/libpfctl.c | 7 ++++---
1 file changed, 4 insertions(+), 3 deletions(-)
diff --git a/lib/libpfctl/libpfctl.c b/lib/libpfctl/libpfctl.c
index 1eccf3dfbcdf..d5347a7f8a84 100644
--- a/lib/libpfctl/libpfctl.c
+++ b/lib/libpfctl/libpfctl.c
@@ -72,7 +72,6 @@ pfctl_do_ioctl(int dev, uint cmd, size_t size, nvlist_t **nvl)
retry:
nv.data = malloc(size);
memcpy(nv.data, data, nvlen);
- free(data);
nv.len = nvlen;
nv.size = size;
@@ -90,13 +89,15 @@ retry:
if (ret == 0) {
*nvl = nvlist_unpack(nv.data, nv.len, 0);
if (*nvl == NULL) {
- free(nv.data);
- return (EIO);
+ ret = EIO;
+ goto out;
}
} else {
ret = errno;
}
+out:
+ free(data);
free(nv.data);
return (ret);