libpfctl: fix pfctl_do_ioctl()

pfctl_do_ioctl() copies the packed request data into the request buffer and then frees it. However, it's possible for the buffer to be too small for the reply, causing us to allocate a new buffer. We then copied from the freed request, and freed it again. Do not free the request buffer until we're all the way done. PR: 274614 Reviewed by: emaste MFC after: 1 week Sponsored by: Rubicon Communications, LLC ("Netgate") Differential Revision: https://reviews.freebsd.org/D42329
2024-07-22 10:48:02 +00:00 · 2023-10-23 13:43:52 +02:00 · 2023-10-23 13:43:52 +02:00 · 2cffb52514
parent 82ea0132c8
commit 2cffb52514
1 changed files with 4 additions and 3 deletions
--- a/lib/libpfctl/libpfctl.c
+++ b/lib/libpfctl/libpfctl.c
@ -79,7 +79,6 @@ pfctl_do_ioctl(int dev, uint cmd, size_t size, nvlist_t **nvl)
 retry:
 	nv.data = malloc(size);
 	memcpy(nv.data, data, nvlen);
-	free(data);

 	nv.len = nvlen;
 	nv.size = size;
@ -97,13 +96,15 @@ pfctl_do_ioctl(int dev, uint cmd, size_t size, nvlist_t **nvl)
 	if (ret == 0) {
 		*nvl = nvlist_unpack(nv.data, nv.len, 0);
 		if (*nvl == NULL) {
-			free(nv.data);
-			return (EIO);
+			ret = EIO;
+			goto out;
 		}
 	} else {
 		ret = errno;
 	}

+out:
+	free(data);
 	free(nv.data);

 	return (ret);