This happens only if the function is called multiple times, i.e. in ebtables-restore. First of all, the initialization can be dropped entirely since that's already done by nft_init_eb(). This though means loaded matches are actually being reused which requires some fixing:
Since extension parsers change data in xtables_matches objects, this data has to be set to zero again at the start of do_commandeb() to avoid side-effects with previous calls. In ebt_cs_clean(), xtables_rule_matches_free() can't be used since that frees match field 'm' which is being reused. Hence copy the remaining bits over to replace it. Similar to the above, per-watcher data in field 't' must not be freed since it's being reused. Signed-off-by: Phil Sutter <[email protected]> --- iptables/nft-bridge.c | 20 +++++++++++++++++--- iptables/xtables-eb.c | 18 +++--------------- 2 files changed, 20 insertions(+), 18 deletions(-) diff --git a/iptables/nft-bridge.c b/iptables/nft-bridge.c index bbcecd825f8ce..3eb8882fe70e0 100644 --- a/iptables/nft-bridge.c +++ b/iptables/nft-bridge.c @@ -25,16 +25,30 @@ void ebt_cs_clean(struct iptables_command_state *cs) { struct ebt_match *m, *nm; + struct xtables_rule_match *matchp, *tmp; - xtables_rule_matches_free(&cs->matches); + for (matchp = cs->matches; matchp;) { + tmp = matchp->next; + + if (matchp->match == matchp->match->next) { + free(matchp->match); + matchp->match = NULL; + } + free(matchp); + matchp = tmp; + } for (m = cs->match_list; m;) { nm = m->next; - if (!m->ismatch) - free(m->u.watcher->t); free(m); m = nm; } + + if (cs->target) { + if (cs->target->udata_size) + free(cs->target->udata); + free(cs->target->t); + } } /* 0: default, print only 2 digits if necessary diff --git a/iptables/xtables-eb.c b/iptables/xtables-eb.c index c6993438d8cbe..ac36270052e25 100644 --- a/iptables/xtables-eb.c +++ b/iptables/xtables-eb.c @@ -786,24 +786,12 @@ int do_commandeb(struct nft_handle *h, int argc, char *argv[], char **table) struct xtables_rule_match *xtrm_i; struct ebt_match *match; - if (nft_init(h, xtables_bridge) < 0) - xtables_error(OTHER_PROBLEM, - "Could not initialize nftables layer."); - - h->ops = nft_family_ops_lookup(h->family); - if (h->ops == NULL) - xtables_error(PARAMETER_PROBLEM, "Unknown family"); - - /* manually registering ebt matches, given the original ebtables parser - * don't use '-m matchname' and the match can't loaded dinamically when - * the user calls it. - */ - ebt_load_match_extensions(); - /* clear mflags in case do_commandeb gets called a second time * (we clear the global list of all matches for security)*/ - for (m = xtables_matches; m; m = m->next) + for (m = xtables_matches; m; m = m->next) { m->mflags = 0; + memset(m->m->data, 0, m->m->u.match_size - sizeof(*m->m)); + } for (t = xtables_targets; t; t = t->next) { t->tflags = 0; -- 2.18.0 -- To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in the body of a message to [email protected] More majordomo info at http://vger.kernel.org/majordomo-info.html
