The allocated payload expression is not used after returning from that function, so it needs to be freed again. Simple test case: | nft add rule inet t c reject with tcp reset Valgrind reports definitely lost 144 bytes. Signed-off-by: Phil Sutter <phil@xxxxxx> --- src/evaluate.c | 10 +++++++--- 1 file changed, 7 insertions(+), 3 deletions(-) diff --git a/src/evaluate.c b/src/evaluate.c index 54fd6b61dbbdf..40a9292fe53af 100644 --- a/src/evaluate.c +++ b/src/evaluate.c @@ -2143,8 +2143,10 @@ static int stmt_reject_gen_dependency(struct eval_ctx *ctx, struct stmt *stmt, if (ret <= 0) return ret; - if (payload_gen_dependency(ctx, payload, &nstmt) < 0) - return -1; + if (payload_gen_dependency(ctx, payload, &nstmt) < 0) { + ret = -1; + goto out; + } /* * Unlike payload deps this adds the dependency at the beginning, i.e. @@ -2155,7 +2157,9 @@ static int stmt_reject_gen_dependency(struct eval_ctx *ctx, struct stmt *stmt, * Otherwise we'd log things that won't be rejected. */ list_add(&nstmt->list, &ctx->rule->stmts); - return 0; +out: + xfree(payload); + return ret; } static int stmt_evaluate_reject_inet_family(struct eval_ctx *ctx, -- 2.16.1 -- To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html