[iptables PATCH 08/10] xtables: Add missing deinitialization

Phil Sutter <phil@xxxxxx> · Thu, 23 Aug 2018 17:43:27 +0200

These fix reports for definitely lost blocks in valgrind. Not really
memleaks, but due to nft_handle going out of scope they're counted as
lost. Still worth fixing though since it reduces noise when auditing
code for real issues.

Signed-off-by: Phil Sutter <phil@xxxxxx>
---
 iptables/nft-arp.c      | 2 +-
 iptables/nft-shared.c   | 2 ++
 iptables/xtables-save.c | 9 +++++----
 3 files changed, 8 insertions(+), 5 deletions(-)

diff --git a/iptables/nft-arp.c b/iptables/nft-arp.c
index 2843c440ef92d..7332b6193f16a 100644
--- a/iptables/nft-arp.c
+++ b/iptables/nft-arp.c
@@ -691,7 +691,7 @@ struct nft_family_ops nft_family_ops_arp = {
 	.save_chain		= nft_arp_save_chain,
 	.post_parse		= NULL,
 	.rule_to_cs		= nft_arp_rule_to_cs,
-	.clear_cs		= NULL,
+	.clear_cs		= nft_clear_iptables_command_state,
 	.rule_find		= nft_arp_rule_find,
 	.parse_target		= nft_arp_parse_target,
 };
diff --git a/iptables/nft-shared.c b/iptables/nft-shared.c
index 62a57dd5f02b4..4557f17d43630 100644
--- a/iptables/nft-shared.c
+++ b/iptables/nft-shared.c
@@ -682,6 +682,8 @@ void nft_rule_to_iptables_command_state(const struct nftnl_rule *r,
 void nft_clear_iptables_command_state(struct iptables_command_state *cs)
 {
 	xtables_rule_matches_free(&cs->matches);
+	if (cs->target)
+		free(cs->target->t);
 }
 
 void print_header(unsigned int format, const char *chain, const char *pol,
diff --git a/iptables/xtables-save.c b/iptables/xtables-save.c
index 182ae13c276f4..6734c6b315872 100644
--- a/iptables/xtables-save.c
+++ b/iptables/xtables-save.c
@@ -203,12 +203,12 @@ xtables_save_main(int family, const char *progname, int argc, char *argv[])
 		exit(EXIT_FAILURE);
 	}
 
-	if (dump) {
-		do_output(&h, tablename, show_counters);
+	ret = do_output(&h, tablename, show_counters);
+	nft_fini(&h);
+	if (dump)
 		exit(0);
-	}
 
-	return do_output(&h, tablename, show_counters);
+	return ret;
 }
 
 int xtables_ip4_save_main(int argc, char *argv[])
@@ -325,5 +325,6 @@ int xtables_arp_save_main(int argc, char **argv)
 	nft_chain_save(&h, nft_chain_dump(&h), "filter");
 	nft_rule_save(&h, "filter", FMT_NOCOUNTS);
 	printf("\n");
+	nft_fini(&h);
 	return 0;
 }
-- 
2.18.0







