From 2e97bc7968d26612ada09a355c97b09c7c647a3f Mon Sep 17 00:00:00 2001
From: ngie <ngie@FreeBSD.org>
Date: Mon, 18 Jan 2016 03:47:46 +0000
Subject: MFC r293704:

Fix theoretical leak of netconfig(3) resources in svcunix_create(..)

In the event that the getconfig(3) call in svcunix_create is partly successful,
some of the netconfig(3) resources allocated might be leaked if the call returns
NULL as endnetconfig(3) wasn't called explicitly in that case. Ensure that the
resources are fully cleaned up by going to the `done` label, which will call
endnetconfig(3) for us.

Submitted by: Miles Ohlrich <miles.ohlrich@isilon.com>
---
 lib/libc/rpc/rpc_soc.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

(limited to 'lib/libc/rpc')

diff --git a/lib/libc/rpc/rpc_soc.c b/lib/libc/rpc/rpc_soc.c
index 8d0f34e..ff7a289 100644
--- a/lib/libc/rpc/rpc_soc.c
+++ b/lib/libc/rpc/rpc_soc.c
@@ -525,7 +525,7 @@ svcunix_create(sock, sendsize, recvsize, path)
 			break;
 	}
 	if (nconf == NULL)
-		return(xprt);
+		goto done;
 
 	if ((sock = __rpc_nconf2fd(nconf)) < 0)
 		goto done;
-- 
cgit v1.1


From 6391e7176199f2b99c1f8d3e9d1a218b254a5fc6 Mon Sep 17 00:00:00 2001
From: ngie <ngie@FreeBSD.org>
Date: Mon, 18 Jan 2016 03:49:57 +0000
Subject: MFC r293705:

Similar to r293704, fix theoretical leak of netconfig(3) resources in
__rpcbind_is_up(..) if getnetconfig(3) is partly successful in allocating
resources, but not completely successful by moving the endnetconfig(3) call
up before we return from the function if nconf == NULL.

Submitted by: Miles Ohlrich <miles.ohlrich@isilon.com>
---
 lib/libc/rpc/rpcb_clnt.c | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

(limited to 'lib/libc/rpc')

diff --git a/lib/libc/rpc/rpcb_clnt.c b/lib/libc/rpc/rpcb_clnt.c
index 943d7c8..117ee0f 100644
--- a/lib/libc/rpc/rpcb_clnt.c
+++ b/lib/libc/rpc/rpcb_clnt.c
@@ -675,11 +675,11 @@ __rpcbind_is_up()
 		    strcmp(nconf->nc_protofmly, NC_LOOPBACK) == 0)
 			 break;
 	}
+	endnetconfig(localhandle);
+
 	if (nconf == NULL)
 		return (FALSE);
 
-	endnetconfig(localhandle);
-
 	memset(&sun, 0, sizeof sun);
 	sock = _socket(AF_LOCAL, SOCK_STREAM, 0);
 	if (sock < 0)
-- 
cgit v1.1


From 95e3008df9dacdefc14557f98920587b391f3b2b Mon Sep 17 00:00:00 2001
From: ngie <ngie@FreeBSD.org>
Date: Tue, 19 Jan 2016 01:30:22 +0000
Subject: MFC r293715:

Fix a mismerge from NetBSD in r162194 with `xdr_rpcb_entry_list_ptr(..)`

This fixes the potential NULL pointer dereference properly, and also fixes
memory leaks encountered in the process of iterating through `*rp`.

Found by: Valgrind
Submitted by: Miles Ohlrich <miles.ohlrich@isilon.com>
---
 lib/libc/rpc/rpcb_prot.c | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

(limited to 'lib/libc/rpc')

diff --git a/lib/libc/rpc/rpcb_prot.c b/lib/libc/rpc/rpcb_prot.c
index f543aaf..92463c0 100644
--- a/lib/libc/rpc/rpcb_prot.c
+++ b/lib/libc/rpc/rpcb_prot.c
@@ -217,14 +217,14 @@ xdr_rpcb_entry_list_ptr(xdrs, rp)
 		 * the case of freeing we must remember the next object
 		 * before we free the current object ...
 		 */
-		if (freeing)
+		if (freeing && *rp)
 			next = (*rp)->rpcb_entry_next;
 		if (! xdr_reference(xdrs, (caddr_t *)rp,
 		    (u_int)sizeof (rpcb_entry_list),
 				    (xdrproc_t)xdr_rpcb_entry)) {
 			return (FALSE);
 		}
-		if (freeing && *rp) {
+		if (freeing) {
 			next_copy = next;
 			rp = &next_copy;
 			/*
-- 
cgit v1.1