mirror of
https://github.com/freebsd/freebsd-src
synced 2024-10-15 12:54:27 +00:00
libpfctl: fix pfctl_do_ioctl()
pfctl_do_ioctl() copies the packed request data into the request buffer and then frees it. However, it's possible for the buffer to be too small for the reply, causing us to allocate a new buffer. We then copied from the freed request, and freed it again. Do not free the request buffer until we're all the way done. PR: 274614 Reviewed by: emaste MFC after: 1 week Sponsored by: Rubicon Communications, LLC ("Netgate") Differential Revision: https://reviews.freebsd.org/D42329
This commit is contained in:
parent
82ea0132c8
commit
2cffb52514
|
@ -79,7 +79,6 @@ pfctl_do_ioctl(int dev, uint cmd, size_t size, nvlist_t **nvl)
|
|||
retry:
|
||||
nv.data = malloc(size);
|
||||
memcpy(nv.data, data, nvlen);
|
||||
free(data);
|
||||
|
||||
nv.len = nvlen;
|
||||
nv.size = size;
|
||||
|
@ -97,13 +96,15 @@ pfctl_do_ioctl(int dev, uint cmd, size_t size, nvlist_t **nvl)
|
|||
if (ret == 0) {
|
||||
*nvl = nvlist_unpack(nv.data, nv.len, 0);
|
||||
if (*nvl == NULL) {
|
||||
free(nv.data);
|
||||
return (EIO);
|
||||
ret = EIO;
|
||||
goto out;
|
||||
}
|
||||
} else {
|
||||
ret = errno;
|
||||
}
|
||||
|
||||
out:
|
||||
free(data);
|
||||
free(nv.data);
|
||||
|
||||
return (ret);
|
||||
|
|
Loading…
Reference in a new issue