The allocated payload expression is not used after returning from that
function, so it needs to be freed again.
Simple test case:
| nft add rule inet t c reject with tcp reset
Valgrind reports definitely lost 144 bytes.
Signed-off-by: Phil Sutter <phil@xxxxxx>
---
src/evaluate.c | 10 +++++++---
1 file changed, 7 insertions(+), 3 deletions(-)
diff --git a/src/evaluate.c b/src/evaluate.c
index 54fd6b61dbbdf..40a9292fe53af 100644
--- a/src/evaluate.c
+++ b/src/evaluate.c
@@ -2143,8 +2143,10 @@ static int stmt_reject_gen_dependency(struct eval_ctx *ctx, struct stmt *stmt,
if (ret <= 0)
return ret;
- if (payload_gen_dependency(ctx, payload, &nstmt) < 0)
- return -1;
+ if (payload_gen_dependency(ctx, payload, &nstmt) < 0) {
+ ret = -1;
+ goto out;
+ }
/*
* Unlike payload deps this adds the dependency at the beginning, i.e.
@@ -2155,7 +2157,9 @@ static int stmt_reject_gen_dependency(struct eval_ctx *ctx, struct stmt *stmt,
* Otherwise we'd log things that won't be rejected.
*/
list_add(&nstmt->list, &ctx->rule->stmts);
- return 0;
+out:
+ xfree(payload);
+ return ret;
}
static int stmt_evaluate_reject_inet_family(struct eval_ctx *ctx,
--
2.16.1
--
To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
