From ad69a33458cf73ee14857d57799cf686946e0b88 Mon Sep 17 00:00:00 2001
From: Yuri Pankov <yuri.pankov@nexenta.com>
Date: Sun, 28 Dec 2014 02:32:31 +0300
Subject: [PATCH] 5491 libipadm`i_ipadm_init_ifs() calls free() on bogus memory
 address Reviewed by: Marcel Telka <marcel.telka@nexenta.com> Reviewed by:
 Rick McNeal <rick.mcneal@nexenta.com> Reviewed by: Andy Stormont
 <astormont@racktopsystems.com> Reviewed by: Sebastien Roy
 <sebastien.roy@delphix.com> Approved by: Robert Mustacchi <rm@joyent.com>

---
 usr/src/lib/libipadm/common/libipadm.c | 12 +++++++-----
 1 file changed, 7 insertions(+), 5 deletions(-)

diff --git a/usr/src/lib/libipadm/common/libipadm.c b/usr/src/lib/libipadm/common/libipadm.c
index 21aeab72ba..527f735e17 100644
--- a/usr/src/lib/libipadm/common/libipadm.c
+++ b/usr/src/lib/libipadm/common/libipadm.c
@@ -18,8 +18,10 @@
  *
  * CDDL HEADER END
  */
+
 /*
  * Copyright (c) 2010, Oracle and/or its affiliates. All rights reserved.
+ * Copyright 2014 Nexenta Systems, Inc.  All rights reserved.
  */
 
 #include <stdio.h>
@@ -806,14 +808,14 @@ i_ipadm_init_ifs(ipadm_handle_t iph, const char *ifs, nvlist_t **allifs)
 		status = ipadm_errno2status(err);
 		goto done;
 	}
-	nvlsize = rvalp->ir_nvlsize;
-	nvlbuf = (char *)rvalp + sizeof (ipmgmt_get_rval_t);
 
 	/*
-	 * nvlbuf contains a list of nvlists, each of which represents
-	 * configuration information for the given interface(s)
+	 * Daemon reply pointed to by rvalp contains ipmgmt_get_rval_t structure
+	 * followed by a list of packed nvlists, each of which represents
+	 * configuration information for the given interface(s).
 	 */
-	err = nvlist_unpack(nvlbuf, nvlsize, allifs, NV_ENCODE_NATIVE);
+	err = nvlist_unpack((char *)rvalp + sizeof (ipmgmt_get_rval_t),
+	    rvalp->ir_nvlsize, allifs, NV_ENCODE_NATIVE);
 	if (err != 0)
 		status = ipadm_errno2status(err);
 done:
-- 
2.11.4.GIT