On Fri, Dec 21, 2018 at 12:24:55PM +0100, Pablo Neira Ayuso wrote: > On Sat, Dec 15, 2018 at 07:25:04PM +0100, Phil Sutter wrote: > > Covscan complained about call to batch_rule_add() not being checked. > > > > Signed-off-by: Phil Sutter <phil@xxxxxx> > > --- > > iptables/nft.c | 4 +++- > > 1 file changed, 3 insertions(+), 1 deletion(-) > > > > diff --git a/iptables/nft.c b/iptables/nft.c > > index f9024927c0e73..ea7419b620e7a 100644 > > --- a/iptables/nft.c > > +++ b/iptables/nft.c > > @@ -3022,7 +3022,9 @@ static int __nft_chain_zero_counters(struct nftnl_chain *c, void *data) > > * rule based on its handle only. > > */ > > nftnl_rule_unset(r, NFTNL_RULE_POSITION); > > - batch_rule_add(h, NFT_COMPAT_RULE_REPLACE, r); > > + ret = batch_rule_add(h, NFT_COMPAT_RULE_REPLACE, r); > > + if (ret) > > + return -1; > > Probably 'goto err' so we destroy the iterator before returning -1? Let me get to review your larger pending patchset, then you can resubmit this on top. Sorry I didn't get to this any sooner. > > } > > r = nftnl_rule_iter_next(iter); > > } > > -- > > 2.19.0 > >
