[Openvpn-devel] Add calls to nvlist_destroy to avoid leaks (v2)

Message ID f8845c0c5aa74e5bab537463249a251d@stormshield.eu
State Accepted
Headers show
Series [Openvpn-devel] Add calls to nvlist_destroy to avoid leaks (v2) | expand

Commit Message

Rémi FARAULT Nov. 5, 2024, 9:04 a.m. UTC

Comments

Gert Doering Nov. 5, 2024, 9:22 p.m. UTC | #1
Thanks for that patch, and for sending a typo-fixed v2.  I did ask
for changes to the commit message which were not done :-( - so I added
the SOB, Github reference plus a bit more explanatory text (from the 
GH MR) myself.

Kristof approved in the GH MR, and I reviewed and tested the change
myself (FreeBSD 14, server and client tests) and things look good -
so recording Kristof's ACK and adding mine.

Acked-by: Gert Doering <gert@greenie.muc.de>

Your patch has been applied to the master and release/2.6 branch (bugfix).

commit dee0748a1e0f57c326cf2b83f8499998ac9d1187 (master)
commit a5d2544ca3a95eba0127ab9cc8a8277fd1d1f974 (release/2.6)
Author: Rémi Farault
Date:   Tue Oct 29 12:06:35 2024 +0100

     Add calls to nvlist_destroy to avoid leaks

     Signed-off-by: Rémi Farault <remi.farault@stormshield.eu>
     Acked-by: Kristof Provost <kp@freebsd.org>
     Acked-by: Gert Doering <gert@greenie.muc.de>
     Message-Id: <f8845c0c5aa74e5bab537463249a251d@stormshield.eu>
     URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg29701.html
     Signed-off-by: Gert Doering <gert@greenie.muc.de>


--
kind regards,

Gert Doering

Patch

From c2df7d0e66987e0e7d2c17e1550c40a5f30a265c Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?R=C3=A9mi=20Farault?= <remi.farault@stormshield.eu>
Date: Tue, 29 Oct 2024 12:06:35 +0100
Subject: [PATCH v2] Add calls to nvlist_destroy to avoid leaks

---
 src/openvpn/dco_freebsd.c | 31 +++++++++++++++++++++++--------
 1 file changed, 23 insertions(+), 8 deletions(-)

diff --git a/src/openvpn/dco_freebsd.c b/src/openvpn/dco_freebsd.c
index c92e42a1..f4c3b021 100644
--- a/src/openvpn/dco_freebsd.c
+++ b/src/openvpn/dco_freebsd.c
@@ -78,7 +78,7 @@  dco_new_peer(dco_context_t *dco, unsigned int peerid, int sd,
              struct in_addr *vpn_ipv4, struct in6_addr *vpn_ipv6)
 {
     struct ifdrv drv;
-    nvlist_t *nvl;
+    nvlist_t *nvl, *local_nvl, *remote_nvl;
     int ret;
 
     nvl = nvlist_create(0);
@@ -87,12 +87,14 @@  dco_new_peer(dco_context_t *dco, unsigned int peerid, int sd,
 
     if (localaddr)
     {
-        nvlist_add_nvlist(nvl, "local", sockaddr_to_nvlist(localaddr));
+        local_nvl = sockaddr_to_nvlist(localaddr);
+        nvlist_add_nvlist(nvl, "local", local_nvl);
     }
 
     if (remoteaddr)
     {
-        nvlist_add_nvlist(nvl, "remote", sockaddr_to_nvlist(remoteaddr));
+        remote_nvl = sockaddr_to_nvlist(remoteaddr);
+        nvlist_add_nvlist(nvl, "remote", remote_nvl);
     }
 
     if (vpn_ipv4)
@@ -121,6 +123,14 @@  dco_new_peer(dco_context_t *dco, unsigned int peerid, int sd,
     }
 
     free(drv.ifd_data);
+    if (localaddr)
+    {
+        nvlist_destroy(local_nvl);
+    }
+    if (remoteaddr)
+    {
+        nvlist_destroy(remote_nvl);
+    }
     nvlist_destroy(nvl);
 
     return ret;
@@ -418,7 +428,7 @@  dco_new_key(dco_context_t *dco, unsigned int peerid, int keyid,
             const char *ciphername)
 {
     struct ifdrv drv;
-    nvlist_t *nvl;
+    nvlist_t *nvl, *encrypt_nvl, *decrypt_nvl;
     int ret;
 
     msg(D_DCO_DEBUG, "%s: slot %d, key-id %d, peer-id %d, cipher %s",
@@ -430,10 +440,11 @@  dco_new_key(dco_context_t *dco, unsigned int peerid, int keyid,
     nvlist_add_number(nvl, "keyid", keyid);
     nvlist_add_number(nvl, "peerid", peerid);
 
-    nvlist_add_nvlist(nvl, "encrypt",
-                      key_to_nvlist(encrypt_key, encrypt_iv, ciphername));
-    nvlist_add_nvlist(nvl, "decrypt",
-                      key_to_nvlist(decrypt_key, decrypt_iv, ciphername));
+    encrypt_nvl = key_to_nvlist(encrypt_key, encrypt_iv, ciphername);
+    decrypt_nvl = key_to_nvlist(decrypt_key, decrypt_iv, ciphername);
+
+    nvlist_add_nvlist(nvl, "encrypt", encrypt_nvl);
+    nvlist_add_nvlist(nvl, "decrypt", decrypt_nvl);
 
     CLEAR(drv);
     snprintf(drv.ifd_name, IFNAMSIZ, "%s", dco->ifname);
@@ -451,6 +462,8 @@  dco_new_key(dco_context_t *dco, unsigned int peerid, int keyid,
     }
 
     free(drv.ifd_data);
+    nvlist_destroy(encrypt_nvl);
+    nvlist_destroy(decrypt_nvl);
     nvlist_destroy(nvl);
 
     return ret;
@@ -750,6 +763,7 @@  retry:
     if (!nvlist_exists_nvlist_array(nvl, "peers"))
     {
         /* no peers */
+        nvlist_destroy(nvl);
         return 0;
     }
 
@@ -762,6 +776,7 @@  retry:
         dco_update_peer_stat(m, peerid, nvlist_get_nvlist(peer, "bytes"));
     }
 
+    nvlist_destroy(nvl);
     return 0;
 }
 
-- 
2.25.1