From 0671dac0cf93e4d07d85872fe5b7f10e117b971f Mon Sep 17 00:00:00 2001
From: david <david@openbsd.org>
Date: Thu, 10 Jul 2008 05:44:54 +0000
Subject: [PATCH] In pf_state_insert(), if the first pf_state_key_attach()
 fails, the state key is freed by pf_state_key_attach().  But in the case of
 NAT, there are two state keys allocated, so we must free the second key
 manually.  Fixes a pf_state_key_pl leak seen in certain cases with pfsync or
 with pf state-insert errors. ok mcbride@ henning@

---
 sys/net/pf.c | 15 +++++++++------
 1 file changed, 9 insertions(+), 6 deletions(-)

diff --git a/sys/net/pf.c b/sys/net/pf.c
index 80bc147fc08..985ca3640a0 100644
--- a/sys/net/pf.c
+++ b/sys/net/pf.c
@@ -1,4 +1,4 @@
-/*	$OpenBSD: pf.c,v 1.607 2008/07/05 16:57:50 david Exp $ */
+/*	$OpenBSD: pf.c,v 1.608 2008/07/10 05:44:54 david Exp $ */
 
 /*
  * Copyright (c) 2001 Daniel Hartmeier
@@ -802,12 +802,15 @@ pf_state_insert(struct pfi_kif *kif, struct pf_state_key *skw,
 {
 	s->kif = kif;
 
-	if (pf_state_key_attach(skw, s, PF_SK_WIRE))
-		return (-1);
-
-	if (skw == sks)
+	if (skw == sks) {
+		if (pf_state_key_attach(skw, s, PF_SK_WIRE))
+			return (-1);
 		s->key[PF_SK_STACK] = s->key[PF_SK_WIRE];
-	else {
+	} else {
+		if (pf_state_key_attach(skw, s, PF_SK_WIRE)) {
+			pool_put(&pf_state_key_pl, sks);
+			return (-1);
+		}
 		if (pf_state_key_attach(sks, s, PF_SK_STACK)) {
 			pf_state_key_detach(s, PF_SK_WIRE);
 			return (-1);
-- 
2.20.1