rpcapd: fix daemon_unpackapplyfilter() leak on failure paths

rootvector2 · rootvector2 · commit fdbdd17eb9e4 · 2026-03-30T21:37:04.000+05:30
Free the received BPF instruction buffer through a common cleanup path when receiving instructions, validating the filter, or applying the filter fails.\n\nKeep existing daemon.c indentation style and make only the relevant CHANGES entry for this fix (Coverity CID 1641537).
diff --git a/CHANGES b/CHANGES
@@ -66,6 +66,8 @@ DayOfTheWeek, Month DD, YYYY / The Tcpdump Group
       rpcapd: Refine SSL options in printusage().
       Fix a possible buffer overflow (Coverity CID 1619148).
       Fix parameter name validation in the configuration file.
+      Fix a memory leak in daemon_unpackapplyfilter() (Coverity CID
+        1641537).
     Documentation:
       Add a README.hurd.md file.
       Cross-reference some man pages better.
diff --git a/rpcapd/daemon.c b/rpcapd/daemon.c
@@ -2342,6 +2342,7 @@ daemon_unpackapplyfilter(PCAP_SOCKET sockctrl, SSL *ctrl_ssl, struct session *se
 	struct bpf_insn *bf_insn;
 	struct bpf_program bf_prog;
 	unsigned int i;
+	int ret;
 
 	status = rpcapd_recv(sockctrl, ctrl_ssl, (char *) &filter,
 	    sizeof(struct rpcap_filter), plenp, errmsgbuf);
@@ -2385,11 +2386,13 @@ daemon_unpackapplyfilter(PCAP_SOCKET sockctrl, SSL *ctrl_ssl, struct session *se
 		    sizeof(struct rpcap_filterbpf_insn), plenp, errmsgbuf);
 		if (status == -1)
 		{
-			return -1;
+			ret = -1;
+			goto cleanup;
 		}
 		if (status == -2)
 		{
-			return -2;
+			ret = -2;
+			goto cleanup;
 		}
 
 		bf_insn->code = ntohs(insn.code);
@@ -2406,16 +2409,22 @@ daemon_unpackapplyfilter(PCAP_SOCKET sockctrl, SSL *ctrl_ssl, struct session *se
 	if (bpf_validate(bf_prog.bf_insns, bf_prog.bf_len) == 0)
 	{
 		snprintf(errmsgbuf, PCAP_ERRBUF_SIZE, "The filter contains invalid instructions");
-		return -2;
+		ret = -2;
+		goto cleanup;
 	}
 
 	if (pcap_setfilter(session->fp, &bf_prog))
 	{
 		snprintf(errmsgbuf, PCAP_ERRBUF_SIZE, "RPCAP error: %s", pcap_geterr(session->fp));
-		return -2;
+		ret = -2;
+		goto cleanup;
 	}
 
-	return 0;
+	ret = 0;
+
+cleanup:
+	free(bf_prog.bf_insns);
+	return ret;
 }
 
 static int

Original file line number	Diff line number	Diff line change
`@@ -2342,6 +2342,7 @@ daemon_unpackapplyfilter(PCAP_SOCKET sockctrl, SSL ctrl_ssl, struct session se`
`2342`	`2342`	`struct bpf_insn *bf_insn;`
`2343`	`2343`	`struct bpf_program bf_prog;`
`2344`	`2344`	`unsigned int i;`
	`2345`	`+ int ret;`
`2345`	`2346`
`2346`	`2347`	`status = rpcapd_recv(sockctrl, ctrl_ssl, (char *) &filter,`
`2347`	`2348`	`sizeof(struct rpcap_filter), plenp, errmsgbuf);`
`@@ -2385,11 +2386,13 @@ daemon_unpackapplyfilter(PCAP_SOCKET sockctrl, SSL ctrl_ssl, struct session se`
`2385`	`2386`	`sizeof(struct rpcap_filterbpf_insn), plenp, errmsgbuf);`
`2386`	`2387`	`if (status == -1)`
`2387`	`2388`	`{`
`2388`		`- return -1;`
	`2389`	`+ ret = -1;`
	`2390`	`+ goto cleanup;`
`2389`	`2391`	`}`
`2390`	`2392`	`if (status == -2)`
`2391`	`2393`	`{`
`2392`		`- return -2;`
	`2394`	`+ ret = -2;`
	`2395`	`+ goto cleanup;`
`2393`	`2396`	`}`
`2394`	`2397`
`2395`	`2398`	`bf_insn->code = ntohs(insn.code);`
`@@ -2406,16 +2409,22 @@ daemon_unpackapplyfilter(PCAP_SOCKET sockctrl, SSL ctrl_ssl, struct session se`
`2406`	`2409`	`if (bpf_validate(bf_prog.bf_insns, bf_prog.bf_len) == 0)`
`2407`	`2410`	`{`
`2408`	`2411`	`snprintf(errmsgbuf, PCAP_ERRBUF_SIZE, "The filter contains invalid instructions");`
`2409`		`- return -2;`
	`2412`	`+ ret = -2;`
	`2413`	`+ goto cleanup;`
`2410`	`2414`	`}`
`2411`	`2415`
`2412`	`2416`	`if (pcap_setfilter(session->fp, &bf_prog))`
`2413`	`2417`	`{`
`2414`	`2418`	`snprintf(errmsgbuf, PCAP_ERRBUF_SIZE, "RPCAP error: %s", pcap_geterr(session->fp));`
`2415`		`- return -2;`
	`2419`	`+ ret = -2;`
	`2420`	`+ goto cleanup;`
`2416`	`2421`	`}`
`2417`	`2422`
`2418`		`- return 0;`
	`2423`	`+ ret = 0;`
	`2424`	`+`
	`2425`	`+cleanup:`
	`2426`	`+ free(bf_prog.bf_insns);`
	`2427`	`+ return ret;`
`2419`	`2428`	`}`
`2420`	`2429`
`2421`	`2430`	`static int`