There are more, but these ones are obvious as the size is already used
to clear the buffers' contents beforehand.

Feedback? OK?

Index: sys/net/pfkeyv2.c
===================================================================
RCS file: /cvs/src/sys/net/pfkeyv2.c,v
retrieving revision 1.200
diff -u -p -r1.200 pfkeyv2.c
--- sys/net/pfkeyv2.c   23 Apr 2020 19:38:08 -0000      1.200
+++ sys/net/pfkeyv2.c   13 Jul 2020 23:20:03 -0000
@@ -634,7 +634,7 @@ pfkeyv2_sendmessage(void **headers, int 
 ret:
        if (buffer != NULL) {
                bzero(buffer, j + sizeof(struct sadb_msg));
-               free(buffer, M_PFKEY, 0);
+               free(buffer, M_PFKEY, j + sizeof(struct sadb_msg));
        }
 
        return (rval);
@@ -1179,7 +1179,7 @@ pfkeyv2_send(struct socket *so, void *me
 
                /* Paranoid */
                explicit_bzero(freeme, sizeof(struct sadb_msg) + len);
-               free(freeme, M_PFKEY, 0);
+               free(freeme, M_PFKEY, sizeof(struct sadb_msg) + len);
                freeme = NULL;
        }
 
@@ -2095,7 +2095,7 @@ realret:
        free(freeme3, M_PFKEY, 0);
 
        explicit_bzero(message, len);
-       free(message, M_PFKEY, 0);
+       free(message, M_PFKEY, len);
 
        free(sa1, M_PFKEY, 0);
 
@@ -2306,7 +2306,7 @@ pfkeyv2_acquire(struct ipsec_policy *ipo
 ret:
        if (buffer != NULL) {
                bzero(buffer, i);
-               free(buffer, M_PFKEY, 0);
+               free(buffer, M_PFKEY, i);
        }
 
        return (rval);
@@ -2397,7 +2397,7 @@ pfkeyv2_expire(struct tdb *tdb, u_int16_
  ret:
        if (buffer != NULL) {
                bzero(buffer, i);
-               free(buffer, M_PFKEY, 0);
+               free(buffer, M_PFKEY, i);
        }
 
        return (rval);

Reply via email to