[PATCH nft] libnftables: fix memleak when first message in batch is used to report error

[Pablo Neira Ayuso <pablo@xxxxxxxxxxxxx>]

The err->seqnum == batch_seqnum case results in a memleak of mnl_err
objects under some scenarios such as nf_tables kernel support is not
available or user runs the nft executable as non-root.

Fixes: f930cc500318 ("nftables: fix supression of "permission denied" errors")
Signed-off-by: Pablo Neira Ayuso <pablo@xxxxxxxxxxxxx>
---
Supersedes: https://patchwork.ozlabs.org/project/netfilter-devel/patch/20210623112628.1543-1-pablo@xxxxxxxxxxxxx/

 src/libnftables.c | 6 ++++++
 1 file changed, 6 insertions(+)

diff --git a/src/libnftables.c b/src/libnftables.c
index e080eb032770..2378f7dd76fb 100644
--- a/src/libnftables.c
+++ b/src/libnftables.c
@@ -89,6 +89,12 @@ static int nft_netlink(struct nft_ctx *nft,
 			last_seqnum = UINT32_MAX;
 		}
 	}
+	/* nfnetlink uses the first netlink message header in the batch whose
+	 * sequence number is zero to report for EOPNOTSUPP and EPERM errors in
+	 * some scenarios. Now it is safe to release here.
+	 */
+	list_for_each_entry_safe(err, tmp, &err_list, head)
+		mnl_err_list_free(err);
 out:
 	mnl_batch_reset(ctx.batch);
 	return ret;
-- 
2.30.2