From 08d984e5bf9ac9ac33e6662fba04b2fc0680b237 Mon Sep 17 00:00:00 2001
From: bluhm <bluhm@openbsd.org>
Date: Mon, 29 Nov 2021 15:39:59 +0000
Subject: [PATCH] Using a void pointer for temporary allocated TDB in pfkeyv2
 does not make sense.  Do not use the freeme pointer for TDB in
 pfkeyv2_send(). The pattern is tdb_alloc() and tdb_unref() in case of error. 
 Replace tdb_free() in reserve_spi() with tdb_unref() to keep this consistent.
 Only tdb_unref() should call tdb_free(). OK mvs@

---
 sys/net/pfkeyv2.c     | 50 ++++++++++++++++---------------------------
 sys/netinet/ip_ipsp.c |  4 ++--
 2 files changed, 21 insertions(+), 33 deletions(-)

diff --git a/sys/net/pfkeyv2.c b/sys/net/pfkeyv2.c
index b47e19e2a79..c0ed3701aac 100644
--- a/sys/net/pfkeyv2.c
+++ b/sys/net/pfkeyv2.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: pfkeyv2.c,v 1.223 2021/11/26 16:16:35 tobhe Exp $ */
+/* $OpenBSD: pfkeyv2.c,v 1.224 2021/11/29 15:39:59 bluhm Exp $ */
 
 /*
  *	@(#)COPYRIGHT	1.1 (NRL) 17 January 1995
@@ -1324,22 +1324,18 @@ pfkeyv2_send(struct socket *so, void *message, int len)
 			int alg;
 
 			/* Create new TDB */
-			freeme_sz = 0;
-			freeme = tdb_alloc(rdomain);
-			bzero(&ii, sizeof(struct ipsecinit));
-
-			newsa = (struct tdb *) freeme;
+			newsa = tdb_alloc(rdomain);
 			newsa->tdb_satype = smsg->sadb_msg_satype;
 
 			if ((rval = pfkeyv2_get_proto_alg(newsa->tdb_satype,
 			    &newsa->tdb_sproto, &alg))) {
-				tdb_unref(freeme);
-				freeme = NULL;
+				tdb_unref(newsa);
 				NET_UNLOCK();
 				goto ret;
 			}
 
 			/* Initialize SA */
+			bzero(&ii, sizeof(struct ipsecinit));
 			import_sa(newsa, headers[SADB_EXT_SA], &ii);
 			import_address(&newsa->tdb_src.sa,
 			    headers[SADB_EXT_ADDRESS_SRC]);
@@ -1369,8 +1365,7 @@ pfkeyv2_send(struct socket *so, void *message, int len)
 			    headers[SADB_X_EXT_DST_MASK],
 			    headers[SADB_X_EXT_PROTOCOL],
 			    headers[SADB_X_EXT_FLOW_TYPE]))) {
-				tdb_unref(freeme);
-				freeme = NULL;
+				tdb_unref(newsa);
 				NET_UNLOCK();
 				goto ret;
 			}
@@ -1392,8 +1387,7 @@ pfkeyv2_send(struct socket *so, void *message, int len)
 			rval = tdb_init(newsa, alg, &ii);
 			if (rval) {
 				rval = EINVAL;
-				tdb_unref(freeme);
-				freeme = NULL;
+				tdb_unref(newsa);
 				NET_UNLOCK();
 				goto ret;
 			}
@@ -1402,8 +1396,7 @@ pfkeyv2_send(struct socket *so, void *message, int len)
 
 			/* Delete old version of the SA, insert new one */
 			tdb_delete(sa2);
-			puttdb((struct tdb *) freeme);
-			freeme = NULL;
+			puttdb(newsa);
 		} else {
 			/*
 			 * The SA is already initialized, so we're only allowed to
@@ -1497,26 +1490,24 @@ pfkeyv2_send(struct socket *so, void *message, int len)
 			goto ret;
 		}
 
-		/* Allocate and initialize new TDB */
-		freeme_sz = 0;
-		freeme = tdb_alloc(rdomain);
-
 		{
-			struct tdb *newsa = (struct tdb *) freeme;
+			struct tdb *newsa;
 			struct ipsecinit ii;
 			int alg;
 
-			bzero(&ii, sizeof(struct ipsecinit));
-
+			/* Create new TDB */
+			newsa = tdb_alloc(rdomain);
 			newsa->tdb_satype = smsg->sadb_msg_satype;
+
 			if ((rval = pfkeyv2_get_proto_alg(newsa->tdb_satype,
 			    &newsa->tdb_sproto, &alg))) {
-				tdb_unref(freeme);
-				freeme = NULL;
+				tdb_unref(newsa);
 				NET_UNLOCK();
 				goto ret;
 			}
 
+			/* Initialize SA */
+			bzero(&ii, sizeof(struct ipsecinit));
 			import_sa(newsa, headers[SADB_EXT_SA], &ii);
 			import_address(&newsa->tdb_src.sa,
 			    headers[SADB_EXT_ADDRESS_SRC]);
@@ -1549,8 +1540,7 @@ pfkeyv2_send(struct socket *so, void *message, int len)
 			    headers[SADB_X_EXT_DST_MASK],
 			    headers[SADB_X_EXT_PROTOCOL],
 			    headers[SADB_X_EXT_FLOW_TYPE]))) {
-				tdb_unref(freeme);
-				freeme = NULL;
+				tdb_unref(newsa);
 				NET_UNLOCK();
 				goto ret;
 			}
@@ -1572,18 +1562,16 @@ pfkeyv2_send(struct socket *so, void *message, int len)
 			rval = tdb_init(newsa, alg, &ii);
 			if (rval) {
 				rval = EINVAL;
-				tdb_unref(freeme);
-				freeme = NULL;
+				tdb_unref(newsa);
 				NET_UNLOCK();
 				goto ret;
 			}
-		}
 
-		/* Add TDB in table */
-		puttdb((struct tdb *) freeme);
+			/* Add TDB in table */
+			puttdb(newsa);
+		}
 		NET_UNLOCK();
 
-		freeme = NULL;
 		break;
 
 	case SADB_DELETE:
diff --git a/sys/netinet/ip_ipsp.c b/sys/netinet/ip_ipsp.c
index 04346c3bcb0..21be98c83a2 100644
--- a/sys/netinet/ip_ipsp.c
+++ b/sys/netinet/ip_ipsp.c
@@ -1,4 +1,4 @@
-/*	$OpenBSD: ip_ipsp.c,v 1.256 2021/11/26 19:24:41 bluhm Exp $	*/
+/*	$OpenBSD: ip_ipsp.c,v 1.257 2021/11/29 15:39:59 bluhm Exp $	*/
 /*
  * The authors of this code are John Ioannidis (ji@tla.org),
  * Angelos D. Keromytis (kermit@csd.uch.gr),
@@ -324,7 +324,7 @@ reserve_spi(u_int rdomain, u_int32_t sspi, u_int32_t tspi,
 	}
 
 	(*errval) = EEXIST;
-	tdb_free(tdbp);
+	tdb_unref(tdbp);
 	return 0;
 }
 
-- 
2.20.1