diff options
| author | Kristof Provost <kp@FreeBSD.org> | 2021-06-01 14:05:47 +0000 |
|---|---|---|
| committer | Kristof Provost <kp@FreeBSD.org> | 2021-06-04 08:12:32 +0000 |
| commit | 1d89dba26b9557543e728a1e1bdab9702cc88ac3 (patch) | |
| tree | 4fd187f788f18974c2bb487e501d13e531e2a0ab | |
| parent | 5713766d631787677a291490e0b8e369d30be43e (diff) | |
| download | src-1d89dba26b9557543e728a1e1bdab9702cc88ac3.tar.gz src-1d89dba26b9557543e728a1e1bdab9702cc88ac3.zip | |
pf: Fix more ioctl memory leaks
We must also remember to free nvlists added to a parent nvlist with
nvlist_append_nvlist_array().
More importantly, when nvlist_pack() allocates memory for us it does so
in the M_NVLIST zone, so we must free it with free(.., M_NVLIST). Using
free(.., M_TEMP) as we did silently failed to free the memory.
MFC after: 3 days
Reported by: kib@
Tested by: kib@
Sponsored by: Rubicon Communications, LLC ("Netgate")
Differential Revision: https://reviews.freebsd.org/D30595
(cherry picked from commit 0f86492b09ca82042166a41f6f21b2dbe4f4a464)
| -rw-r--r-- | sys/netpfil/pf/pf_ioctl.c | 27 | ||||
| -rw-r--r-- | sys/netpfil/pf/pf_nv.c | 1 |
2 files changed, 15 insertions, 13 deletions
diff --git a/sys/netpfil/pf/pf_ioctl.c b/sys/netpfil/pf/pf_ioctl.c index 148a8a56f624..3a5a7601b51e 100644 --- a/sys/netpfil/pf/pf_ioctl.c +++ b/sys/netpfil/pf/pf_ioctl.c @@ -2438,7 +2438,7 @@ DIOCADDRULENV_error: ERROUT(ENOMEM); /* Copy the request in */ - nvlpacked = malloc(nv->len, M_TEMP, M_WAITOK); + nvlpacked = malloc(nv->len, M_NVLIST, M_WAITOK); if (nvlpacked == NULL) ERROUT(ENOMEM); @@ -2516,7 +2516,7 @@ DIOCADDRULENV_error: ERROUT(EBUSY); } - free(nvlpacked, M_TEMP); + free(nvlpacked, M_NVLIST); nvlpacked = nvlist_pack(nvl, &nv->len); if (nvlpacked == NULL) { PF_RULES_WUNLOCK(); @@ -2546,7 +2546,7 @@ DIOCADDRULENV_error: #undef ERROUT DIOCGETRULENV_error: - free(nvlpacked, M_TEMP); + free(nvlpacked, M_NVLIST); nvlist_destroy(nvrule); nvlist_destroy(nvl); @@ -4934,7 +4934,7 @@ pf_killstates_nv(struct pfioc_nv *nv) if (nv->len > pf_ioctl_maxcount) ERROUT(ENOMEM); - nvlpacked = malloc(nv->len, M_TEMP, M_WAITOK); + nvlpacked = malloc(nv->len, M_NVLIST, M_WAITOK); if (nvlpacked == NULL) ERROUT(ENOMEM); @@ -4952,7 +4952,7 @@ pf_killstates_nv(struct pfioc_nv *nv) error = pf_killstates(&kill, &killed); - free(nvlpacked, M_TEMP); + free(nvlpacked, M_NVLIST); nvlpacked = NULL; nvlist_destroy(nvl); nvl = nvlist_create(0); @@ -4974,7 +4974,7 @@ pf_killstates_nv(struct pfioc_nv *nv) on_error: nvlist_destroy(nvl); - free(nvlpacked, M_TEMP); + free(nvlpacked, M_NVLIST); return (error); } @@ -4992,7 +4992,7 @@ pf_clearstates_nv(struct pfioc_nv *nv) if (nv->len > pf_ioctl_maxcount) ERROUT(ENOMEM); - nvlpacked = malloc(nv->len, M_TEMP, M_WAITOK); + nvlpacked = malloc(nv->len, M_NVLIST, M_WAITOK); if (nvlpacked == NULL) ERROUT(ENOMEM); @@ -5010,7 +5010,7 @@ pf_clearstates_nv(struct pfioc_nv *nv) killed = pf_clear_states(&kill); - free(nvlpacked, M_TEMP); + free(nvlpacked, M_NVLIST); nvlpacked = NULL; nvlist_destroy(nvl); nvl = nvlist_create(0); @@ -5033,7 +5033,7 @@ pf_clearstates_nv(struct pfioc_nv *nv) #undef ERROUT on_error: nvlist_destroy(nvl); - free(nvlpacked, M_TEMP); + free(nvlpacked, M_NVLIST); return (error); } @@ -5051,7 +5051,7 @@ pf_getstate(struct pfioc_nv *nv) if (nv->len > pf_ioctl_maxcount) ERROUT(ENOMEM); - nvlpacked = malloc(nv->len, M_TEMP, M_WAITOK); + nvlpacked = malloc(nv->len, M_NVLIST, M_WAITOK); if (nvlpacked == NULL) ERROUT(ENOMEM); @@ -5070,7 +5070,7 @@ pf_getstate(struct pfioc_nv *nv) if (s == NULL) ERROUT(ENOENT); - free(nvlpacked, M_TEMP); + free(nvlpacked, M_NVLIST); nvlpacked = NULL; nvlist_destroy(nvl); nvl = nvlist_create(0); @@ -5099,7 +5099,7 @@ pf_getstate(struct pfioc_nv *nv) errout: if (s != NULL) PF_STATE_UNLOCK(s); - free(nvlpacked, M_TEMP); + free(nvlpacked, M_NVLIST); nvlist_destroy(nvl); return (error); } @@ -5141,6 +5141,7 @@ pf_getstates(struct pfioc_nv *nv) goto DIOCGETSTATESNV_full; } nvlist_append_nvlist_array(nvl, "states", nvls); + nvlist_destroy(nvls); count++; } PF_HASHROW_UNLOCK(ih); @@ -5167,7 +5168,7 @@ DIOCGETSTATESNV_full: #undef ERROUT errout: - free(nvlpacked, M_TEMP); + free(nvlpacked, M_NVLIST); nvlist_destroy(nvl); return (error); } diff --git a/sys/netpfil/pf/pf_nv.c b/sys/netpfil/pf/pf_nv.c index 863259dbf9aa..dab72f04d138 100644 --- a/sys/netpfil/pf/pf_nv.c +++ b/sys/netpfil/pf/pf_nv.c @@ -846,6 +846,7 @@ pf_state_key_to_nvstate_key(const struct pf_state_key *key) if (tmp == NULL) goto errout; nvlist_append_nvlist_array(nvl, "addr", tmp); + nvlist_destroy(tmp); nvlist_append_number_array(nvl, "port", key->port[i]); } nvlist_add_number(nvl, "af", key->af); |