upstream/opnsense-src
1
0
Fork 0
mirror of https://github.com/opnsense/src.git synced 2026-06-09 08:43:19 -04:00
Code Issues Projects Releases Packages Wiki Activity Actions

libpfctl: fix pfctl_do_ioctl()

Browse source 
pfctl_do_ioctl() copies the packed request data into the request buffer
and then frees it. However, it's possible for the buffer to be too small
for the reply, causing us to allocate a new buffer. We then copied from
the freed request, and freed it again.

Do not free the request buffer until we're all the way done.

PR:		274614
Reviewed by:	emaste
MFC after:	1 week
Sponsored by:	Rubicon Communications, LLC ("Netgate")
Differential Revision:	https://reviews.freebsd.org/D42329

(cherry picked from commit 2cffb52514)
This commit is contained in:
Kristof Provost 2023-10-23 13:43:52 +02:00
parent eff832ae7b
commit 9f5ab6bddf
1 changed files with 4 additions and 3 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

7
lib/libpfctl/libpfctl.c
View file

@ -72,7 +72,6 @@ pfctl_do_ioctl(int dev, uint cmd, size_t size, nvlist_t **nvl)
retry:
nv.data = malloc(size);
memcpy(nv.data, data, nvlen);
free(data);
nv.len = nvlen;
nv.size = size;
@ -90,13 +89,15 @@ retry:
if (ret == 0) {
*nvl = nvlist_unpack(nv.data, nv.len, 0);
if (*nvl == NULL) {
free(nv.data);
return (EIO);
ret = EIO;
goto out;
}
} else {
ret = errno;
}
out:
free(data);
free(nv.data);
return (ret);