There are more, but these ones are obvious as the size is already used to clear the buffers' contents beforehand.
Feedback? OK? Index: sys/net/pfkeyv2.c =================================================================== RCS file: /cvs/src/sys/net/pfkeyv2.c,v retrieving revision 1.200 diff -u -p -r1.200 pfkeyv2.c --- sys/net/pfkeyv2.c 23 Apr 2020 19:38:08 -0000 1.200 +++ sys/net/pfkeyv2.c 13 Jul 2020 23:20:03 -0000 @@ -634,7 +634,7 @@ pfkeyv2_sendmessage(void **headers, int ret: if (buffer != NULL) { bzero(buffer, j + sizeof(struct sadb_msg)); - free(buffer, M_PFKEY, 0); + free(buffer, M_PFKEY, j + sizeof(struct sadb_msg)); } return (rval); @@ -1179,7 +1179,7 @@ pfkeyv2_send(struct socket *so, void *me /* Paranoid */ explicit_bzero(freeme, sizeof(struct sadb_msg) + len); - free(freeme, M_PFKEY, 0); + free(freeme, M_PFKEY, sizeof(struct sadb_msg) + len); freeme = NULL; } @@ -2095,7 +2095,7 @@ realret: free(freeme3, M_PFKEY, 0); explicit_bzero(message, len); - free(message, M_PFKEY, 0); + free(message, M_PFKEY, len); free(sa1, M_PFKEY, 0); @@ -2306,7 +2306,7 @@ pfkeyv2_acquire(struct ipsec_policy *ipo ret: if (buffer != NULL) { bzero(buffer, i); - free(buffer, M_PFKEY, 0); + free(buffer, M_PFKEY, i); } return (rval); @@ -2397,7 +2397,7 @@ pfkeyv2_expire(struct tdb *tdb, u_int16_ ret: if (buffer != NULL) { bzero(buffer, i); - free(buffer, M_PFKEY, 0); + free(buffer, M_PFKEY, i); } return (rval);