The branch stable/14 has been updated by kp: URL: https://cgit.FreeBSD.org/src/commit/?id=9f5ab6bddfc0974b385f2a198878f739424fd040
commit 9f5ab6bddfc0974b385f2a198878f739424fd040 Author: Kristof Provost <[email protected]> AuthorDate: 2023-10-23 11:43:52 +0000 Commit: Kristof Provost <[email protected]> CommitDate: 2023-11-01 09:05:49 +0000 libpfctl: fix pfctl_do_ioctl() pfctl_do_ioctl() copies the packed request data into the request buffer and then frees it. However, it's possible for the buffer to be too small for the reply, causing us to allocate a new buffer. We then copied from the freed request, and freed it again. Do not free the request buffer until we're all the way done. PR: 274614 Reviewed by: emaste MFC after: 1 week Sponsored by: Rubicon Communications, LLC ("Netgate") Differential Revision: https://reviews.freebsd.org/D42329 (cherry picked from commit 2cffb52514b070e716e700c7f58fdb8cd9b05335) --- lib/libpfctl/libpfctl.c | 7 ++++--- 1 file changed, 4 insertions(+), 3 deletions(-) diff --git a/lib/libpfctl/libpfctl.c b/lib/libpfctl/libpfctl.c index 1eccf3dfbcdf..d5347a7f8a84 100644 --- a/lib/libpfctl/libpfctl.c +++ b/lib/libpfctl/libpfctl.c @@ -72,7 +72,6 @@ pfctl_do_ioctl(int dev, uint cmd, size_t size, nvlist_t **nvl) retry: nv.data = malloc(size); memcpy(nv.data, data, nvlen); - free(data); nv.len = nvlen; nv.size = size; @@ -90,13 +89,15 @@ retry: if (ret == 0) { *nvl = nvlist_unpack(nv.data, nv.len, 0); if (*nvl == NULL) { - free(nv.data); - return (EIO); + ret = EIO; + goto out; } } else { ret = errno; } +out: + free(data); free(nv.data); return (ret);
