diff options
| author | Franco Fichtner <franco@opnsense.org> | 2022-06-02 16:27:43 +0000 |
|---|---|---|
| committer | Kristof Provost <kp@FreeBSD.org> | 2022-06-02 18:17:25 +0000 |
| commit | a37e0e6de6527a7eaddea8e28f5e4b3427fba1a4 (patch) | |
| tree | 66170d95e5c063bf1660bd6a61833afbf0a74a72 | |
| parent | 1a4614a51ee7e3d3cd4ef30b16e13f9ef1713a56 (diff) | |
| download | src-a37e0e6de6527a7eaddea8e28f5e4b3427fba1a4.tar.gz src-a37e0e6de6527a7eaddea8e28f5e4b3427fba1a4.zip | |
pf: fix more syncookie memory leaks
Allocate memory for packed nvlists in M_NVLIST, as nvlist_pack() does
this as well, and we use the same variable interchangable with the
memory we allocate. When we free it we can end up freeing from the wrong
zone, leaking memory.
Reviewed by: kp
Differential Revision: https://reviews.freebsd.org/D35385
| -rw-r--r-- | sys/netpfil/pf/pf_ioctl.c | 20 | ||||
| -rw-r--r-- | sys/netpfil/pf/pf_syncookies.c | 6 |
2 files changed, 13 insertions, 13 deletions
diff --git a/sys/netpfil/pf/pf_ioctl.c b/sys/netpfil/pf/pf_ioctl.c index 745b9b69060b..1ccbbd3814ac 100644 --- a/sys/netpfil/pf/pf_ioctl.c +++ b/sys/netpfil/pf/pf_ioctl.c @@ -2722,7 +2722,7 @@ DIOCGETETHRULES_error: if (nv->len > pf_ioctl_maxcount) ERROUT(ENOMEM); - nvlpacked = malloc(nv->len, M_TEMP, M_WAITOK); + nvlpacked = malloc(nv->len, M_NVLIST, M_WAITOK); if (nvlpacked == NULL) ERROUT(ENOMEM); @@ -2763,7 +2763,7 @@ DIOCGETETHRULES_error: nvlist_destroy(nvl); nvl = NULL; - free(nvlpacked, M_TEMP); + free(nvlpacked, M_NVLIST); nvlpacked = NULL; rule = TAILQ_FIRST(rs->active.rules); @@ -2803,7 +2803,7 @@ DIOCGETETHRULES_error: #undef ERROUT DIOCGETETHRULE_error: - free(nvlpacked, M_TEMP); + free(nvlpacked, M_NVLIST); nvlist_destroy(nvl); break; } @@ -2819,7 +2819,7 @@ DIOCGETETHRULE_error: #define ERROUT(x) ERROUT_IOCTL(DIOCADDETHRULE_error, x) - nvlpacked = malloc(nv->len, M_TEMP, M_WAITOK); + nvlpacked = malloc(nv->len, M_NVLIST, M_WAITOK); if (nvlpacked == NULL) ERROUT(ENOMEM); @@ -2922,7 +2922,7 @@ DIOCGETETHRULE_error: #undef ERROUT DIOCADDETHRULE_error: nvlist_destroy(nvl); - free(nvlpacked, M_TEMP); + free(nvlpacked, M_NVLIST); break; } @@ -3117,7 +3117,7 @@ DIOCGETETHRULESET_error: if (nv->len > pf_ioctl_maxcount) ERROUT(ENOMEM); - nvlpacked = malloc(nv->len, M_TEMP, M_WAITOK); + nvlpacked = malloc(nv->len, M_NVLIST, M_WAITOK); error = copyin(nv->data, nvlpacked, nv->len); if (error) ERROUT(error); @@ -3156,13 +3156,13 @@ DIOCGETETHRULESET_error: anchor_call, td); nvlist_destroy(nvl); - free(nvlpacked, M_TEMP); + free(nvlpacked, M_NVLIST); break; #undef ERROUT DIOCADDRULENV_error: pf_krule_free(rule); nvlist_destroy(nvl); - free(nvlpacked, M_TEMP); + free(nvlpacked, M_NVLIST); break; } @@ -6018,7 +6018,7 @@ pf_keepcounters(struct pfioc_nv *nv) if (nv->len > pf_ioctl_maxcount) ERROUT(ENOMEM); - nvlpacked = malloc(nv->len, M_TEMP, M_WAITOK); + nvlpacked = malloc(nv->len, M_NVLIST, M_WAITOK); if (nvlpacked == NULL) ERROUT(ENOMEM); @@ -6037,7 +6037,7 @@ pf_keepcounters(struct pfioc_nv *nv) on_error: nvlist_destroy(nvl); - free(nvlpacked, M_TEMP); + free(nvlpacked, M_NVLIST); return (error); } diff --git a/sys/netpfil/pf/pf_syncookies.c b/sys/netpfil/pf/pf_syncookies.c index 5230502be30c..6a375411d8ea 100644 --- a/sys/netpfil/pf/pf_syncookies.c +++ b/sys/netpfil/pf/pf_syncookies.c @@ -171,7 +171,7 @@ pf_get_syncookies(struct pfioc_nv *nv) #undef ERROUT errout: nvlist_destroy(nvl); - free(nvlpacked, M_TEMP); + free(nvlpacked, M_NVLIST); return (error); } @@ -191,7 +191,7 @@ pf_set_syncookies(struct pfioc_nv *nv) if (nv->len > pf_ioctl_maxcount) return (ENOMEM); - nvlpacked = malloc(nv->len, M_TEMP, M_WAITOK); + nvlpacked = malloc(nv->len, M_NVLIST, M_WAITOK); if (nvlpacked == NULL) return (ENOMEM); @@ -232,7 +232,7 @@ pf_set_syncookies(struct pfioc_nv *nv) #undef ERROUT errout: nvlist_destroy(nvl); - free(nvlpacked, M_TEMP); + free(nvlpacked, M_NVLIST); return (error); } |