From a769e8df0054ccac7e34e9f1968c7fd321313c8b Mon Sep 17 00:00:00 2001
From: Kristof Provost <kp@FreeBSD.org>
Date: Thu, 7 Apr 2022 08:41:37 +0200
Subject: [PATCH] pf syncookies: fix memory leak

We forgot to free the nvlist (and packed nvlist) on success.
While here start using the ERROUT macro to clean up error handling, and
to add SDTs for better debugging.

Reported by:	Coverity
CID:		1473150
---
 sys/netpfil/pf/pf_syncookies.c | 29 +++++++++++++++++------------
 1 file changed, 17 insertions(+), 12 deletions(-)

diff --git a/sys/netpfil/pf/pf_syncookies.c b/sys/netpfil/pf/pf_syncookies.c
index 32b2bec6c3d6..5230502be30c 100644
--- a/sys/netpfil/pf/pf_syncookies.c
+++ b/sys/netpfil/pf/pf_syncookies.c
@@ -141,10 +141,13 @@ pf_get_syncookies(struct pfioc_nv *nv)
 {
 	nvlist_t	*nvl = NULL;
 	void		*nvlpacked = NULL;
+	int		 error;
+
+#define ERROUT(x)	ERROUT_FUNCTION(errout, x)
 
 	nvl = nvlist_create(0);
 	if (nvl == NULL)
-		return (ENOMEM);
+		ERROUT(ENOMEM);
 
 	nvlist_add_bool(nvl, "enabled",
 	    V_pf_status.syncookies_mode != PF_SYNCOOKIES_NEVER);
@@ -154,21 +157,23 @@ pf_get_syncookies(struct pfioc_nv *nv)
 	nvlist_add_number(nvl, "lowwater", V_pf_syncookie_status.lowat);
 
 	nvlpacked = nvlist_pack(nvl, &nv->len);
-	if (nvlpacked == NULL) {
-		nvlist_destroy(nvl);
-		return (ENOMEM);
-	}
+	if (nvlpacked == NULL)
+		ERROUT(ENOMEM);
+
 	if (nv->size == 0) {
-		nvlist_destroy(nvl);
-		free(nvlpacked, M_TEMP);
-		return (0);
+		ERROUT(0);
 	} else if (nv->size < nv->len) {
-		nvlist_destroy(nvl);
-		free(nvlpacked, M_TEMP);
-		return (ENOSPC);
+		ERROUT(ENOSPC);
 	}
 
-	return (copyout(nvlpacked, nv->data, nv->len));
+	error = copyout(nvlpacked, nv->data, nv->len);
+
+#undef ERROUT
+errout:
+	nvlist_destroy(nvl);
+	free(nvlpacked, M_TEMP);
+
+	return (error);
 }
 
 int