The branch stable/13 has been updated by kp:
URL:
https://cgit.FreeBSD.org/src/commit/?id=a17aa2314d5078060417cbfba30b20088359ec21
commit a17aa2314d5078060417cbfba30b20088359ec21
Author: Kristof Provost <k...@FreeBSD.org>
AuthorDate: 2023-10-23 11:43:52 +0000
Commit: Kristof Provost <k...@FreeBSD.org>
CommitDate: 2023-10-31 08:08:46 +0000
libpfctl: fix pfctl_do_ioctl()
pfctl_do_ioctl() copies the packed request data into the request buffer
and then frees it. However, it's possible for the buffer to be too small
for the reply, causing us to allocate a new buffer. We then copied from
the freed request, and freed it again.
Do not free the request buffer until we're all the way done.
PR: 274614
Reviewed by: emaste
MFC after: 1 week
Sponsored by: Rubicon Communications, LLC ("Netgate")
Differential Revision:
https://reviews.freebsd.org/D42329
(cherry picked from commit 2cffb52514b070e716e700c7f58fdb8cd9b05335)
---
lib/libpfctl/libpfctl.c | 7 ++++---
1 file changed, 4 insertions(+), 3 deletions(-)
diff --git a/lib/libpfctl/libpfctl.c b/lib/libpfctl/libpfctl.c
index 54e8fedbe4df..c9a5190d790c 100644
--- a/lib/libpfctl/libpfctl.c
+++ b/lib/libpfctl/libpfctl.c
@@ -72,7 +72,6 @@ pfctl_do_ioctl(int dev, uint cmd, size_t size, nvlist_t **nvl)
retry:
nv.data = malloc(size);
memcpy(nv.data, data, nvlen);
- free(data);
nv.len = nvlen;
nv.size = size;
@@ -90,13 +89,15 @@ retry:
if (ret == 0) {
*nvl = nvlist_unpack(nv.data, nv.len, 0);
if (*nvl == NULL) {
- free(nv.data);
- return (EIO);
+ ret = EIO;
+ goto out;
}
} else {
ret = errno;
}
+out:
+ free(data);
free(nv.data);
return (ret);