There are more, but these ones are obvious as the size is already used
to clear the buffers' contents beforehand.
Feedback? OK?
Index: sys/net/pfkeyv2.c
===================================================================
RCS file: /cvs/src/sys/net/pfkeyv2.c,v
retrieving revision 1.200
diff -u -p -r1.200 pfkeyv2.c
--- sys/net/pfkeyv2.c 23 Apr 2020 19:38:08 -0000 1.200
+++ sys/net/pfkeyv2.c 13 Jul 2020 23:20:03 -0000
@@ -634,7 +634,7 @@ pfkeyv2_sendmessage(void **headers, int
ret:
if (buffer != NULL) {
bzero(buffer, j + sizeof(struct sadb_msg));
- free(buffer, M_PFKEY, 0);
+ free(buffer, M_PFKEY, j + sizeof(struct sadb_msg));
}
return (rval);
@@ -1179,7 +1179,7 @@ pfkeyv2_send(struct socket *so, void *me
/* Paranoid */
explicit_bzero(freeme, sizeof(struct sadb_msg) + len);
- free(freeme, M_PFKEY, 0);
+ free(freeme, M_PFKEY, sizeof(struct sadb_msg) + len);
freeme = NULL;
}
@@ -2095,7 +2095,7 @@ realret:
free(freeme3, M_PFKEY, 0);
explicit_bzero(message, len);
- free(message, M_PFKEY, 0);
+ free(message, M_PFKEY, len);
free(sa1, M_PFKEY, 0);
@@ -2306,7 +2306,7 @@ pfkeyv2_acquire(struct ipsec_policy *ipo
ret:
if (buffer != NULL) {
bzero(buffer, i);
- free(buffer, M_PFKEY, 0);
+ free(buffer, M_PFKEY, i);
}
return (rval);
@@ -2397,7 +2397,7 @@ pfkeyv2_expire(struct tdb *tdb, u_int16_
ret:
if (buffer != NULL) {
bzero(buffer, i);
- free(buffer, M_PFKEY, 0);
+ free(buffer, M_PFKEY, i);
}
return (rval);
