[iptables PATCH] xtables: Don't leak iter in error path of __nft_chain_zero_counters()

Phil Sutter Mon, 13 May 2019 10:12:31 -0700

If batch_rule_add() fails, this function leaked the rule iterator
object.

Fixes: 4c54c892443c2 ("xtables: Catch errors when zeroing rule rounters")
Signed-off-by: Phil Sutter <p...@nwl.cc>
---
 iptables/nft.c | 4 +++-
 1 file changed, 3 insertions(+), 1 deletion(-)


diff --git a/iptables/nft.c b/iptables/nft.c
index 6354b7e8e72fe..dab1db59ec971 100644
--- a/iptables/nft.c
+++ b/iptables/nft.c
@@ -3374,8 +3374,10 @@ static int __nft_chain_zero_counters(struct nftnl_chain 
*c, void *data)
                         * rule based on its handle only.
                         */
                        nftnl_rule_unset(r, NFTNL_RULE_POSITION);
-                       if (!batch_rule_add(h, NFT_COMPAT_RULE_REPLACE, r))
+                       if (!batch_rule_add(h, NFT_COMPAT_RULE_REPLACE, r)) {
+                               nftnl_rule_iter_destroy(iter);
                                return -1;
+                       }
                }
                r = nftnl_rule_iter_next(iter);
        }
-- 
2.21.0

[iptables PATCH] xtables: Don't leak iter in error path of __nft_chain_zero_counters()

Reply via email to