This happens only if the function is called multiple times, i.e. in
ebtables-restore. First of all, the initialization can be dropped
entirely since that's already done by nft_init_eb(). This though means
loaded matches are actually being reused which requires some fixing:
Since extension parsers change data in xtables_matches objects, this
data has to be set to zero again at the start of do_commandeb() to avoid
side-effects with previous calls.
In ebt_cs_clean(), xtables_rule_matches_free() can't be used since that
frees match field 'm' which is being reused. Hence copy the remaining
bits over to replace it.
Similar to the above, per-watcher data in field 't' must not be freed
since it's being reused.
Signed-off-by: Phil Sutter <phil@xxxxxx>
---
iptables/nft-bridge.c | 20 +++++++++++++++++---
iptables/xtables-eb.c | 18 +++---------------
2 files changed, 20 insertions(+), 18 deletions(-)
diff --git a/iptables/nft-bridge.c b/iptables/nft-bridge.c
index bbcecd825f8ce..3eb8882fe70e0 100644
--- a/iptables/nft-bridge.c
+++ b/iptables/nft-bridge.c
@@ -25,16 +25,30 @@
void ebt_cs_clean(struct iptables_command_state *cs)
{
struct ebt_match *m, *nm;
+ struct xtables_rule_match *matchp, *tmp;
- xtables_rule_matches_free(&cs->matches);
+ for (matchp = cs->matches; matchp;) {
+ tmp = matchp->next;
+
+ if (matchp->match == matchp->match->next) {
+ free(matchp->match);
+ matchp->match = NULL;
+ }
+ free(matchp);
+ matchp = tmp;
+ }
for (m = cs->match_list; m;) {
nm = m->next;
- if (!m->ismatch)
- free(m->u.watcher->t);
free(m);
m = nm;
}
+
+ if (cs->target) {
+ if (cs->target->udata_size)
+ free(cs->target->udata);
+ free(cs->target->t);
+ }
}
/* 0: default, print only 2 digits if necessary
diff --git a/iptables/xtables-eb.c b/iptables/xtables-eb.c
index c6993438d8cbe..ac36270052e25 100644
--- a/iptables/xtables-eb.c
+++ b/iptables/xtables-eb.c
@@ -786,24 +786,12 @@ int do_commandeb(struct nft_handle *h, int argc, char *argv[], char **table)
struct xtables_rule_match *xtrm_i;
struct ebt_match *match;
- if (nft_init(h, xtables_bridge) < 0)
- xtables_error(OTHER_PROBLEM,
- "Could not initialize nftables layer.");
-
- h->ops = nft_family_ops_lookup(h->family);
- if (h->ops == NULL)
- xtables_error(PARAMETER_PROBLEM, "Unknown family");
-
- /* manually registering ebt matches, given the original ebtables parser
- * don't use '-m matchname' and the match can't loaded dinamically when
- * the user calls it.
- */
- ebt_load_match_extensions();
-
/* clear mflags in case do_commandeb gets called a second time
* (we clear the global list of all matches for security)*/
- for (m = xtables_matches; m; m = m->next)
+ for (m = xtables_matches; m; m = m->next) {
m->mflags = 0;
+ memset(m->m->data, 0, m->m->u.match_size - sizeof(*m->m));
+ }
for (t = xtables_targets; t; t = t->next) {
t->tflags = 0;
--
2.18.0
--
To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
