If batch_rule_add() fails, this function leaked the rule iterator object. Fixes: 4c54c892443c2 ("xtables: Catch errors when zeroing rule rounters") Signed-off-by: Phil Sutter <phil@xxxxxx> --- iptables/nft.c | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/iptables/nft.c b/iptables/nft.c index 6354b7e8e72fe..dab1db59ec971 100644 --- a/iptables/nft.c +++ b/iptables/nft.c @@ -3374,8 +3374,10 @@ static int __nft_chain_zero_counters(struct nftnl_chain *c, void *data) * rule based on its handle only. */ nftnl_rule_unset(r, NFTNL_RULE_POSITION); - if (!batch_rule_add(h, NFT_COMPAT_RULE_REPLACE, r)) + if (!batch_rule_add(h, NFT_COMPAT_RULE_REPLACE, r)) { + nftnl_rule_iter_destroy(iter); return -1; + } } r = nftnl_rule_iter_next(iter); } -- 2.21.0