Message ID | 20210623112816.1668-1-pablo@netfilter.org |
---|---|
State | Accepted |
Delegated to: | Pablo Neira |
Headers | show |
Series | [nft] libnftables: fix memleak when first message in batch is used to report error | expand |
diff --git a/src/libnftables.c b/src/libnftables.c index e080eb032770..2378f7dd76fb 100644 --- a/src/libnftables.c +++ b/src/libnftables.c @@ -89,6 +89,12 @@ static int nft_netlink(struct nft_ctx *nft, last_seqnum = UINT32_MAX; } } + /* nfnetlink uses the first netlink message header in the batch whose + * sequence number is zero to report for EOPNOTSUPP and EPERM errors in + * some scenarios. Now it is safe to release here. + */ + list_for_each_entry_safe(err, tmp, &err_list, head) + mnl_err_list_free(err); out: mnl_batch_reset(ctx.batch); return ret;
The err->seqnum == batch_seqnum case results in a memleak of mnl_err objects under some scenarios such as nf_tables kernel support is not available or user runs the nft executable as non-root. Fixes: f930cc500318 ("nftables: fix supression of "permission denied" errors") Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org> --- Supersedes: https://patchwork.ozlabs.org/project/netfilter-devel/patch/20210623112628.1543-1-pablo@netfilter.org/ src/libnftables.c | 6 ++++++ 1 file changed, 6 insertions(+)