From: Henry Ford <henryfordkjv@gmail.com>
Subject: msgbuf_free incomplete NULL check
To: tech@openbsd.org
Date: Thu, 21 Nov 2024 20:58:19 -0500

msgbuf_free checks if msgbuf is NULL before calling msgbuf_clear on
it, but does not perform the same check before freeing its rbuf field.
After upgrading to the latest snapshot this causes my ntpd to crash on
startup. The following diff guards the call to free with the same check
used for msgbuf_clear. After applying this diff ntpd no longer crashes.

diff /usr/src
commit - e08605c7f2d4f3a5540bdbbdf70eaa19abe1f819
path + /usr/src
blob - c43da77f8af85dd91437e0576db867ab7c4defa1
file + lib/libutil/imsg-buffer.c
--- lib/libutil/imsg-buffer.c
+++ lib/libutil/imsg-buffer.c
@@ -605,9 +605,10 @@ msgbuf_new_reader(size_t hdrsz, ssize_t (*readhdr)(str
 void
 msgbuf_free(struct msgbuf *msgbuf)
 {
-	if (msgbuf != NULL)
+	if (msgbuf != NULL) {
 		msgbuf_clear(msgbuf);
-	free(msgbuf->rbuf);
+		free(msgbuf->rbuf);
+	}
 	free(msgbuf);
 }