The err->seqnum == batch_seqnum case results in a memleak of mnl_err objects under some scenarios such as nf_tables kernel support is not available or user runs the nft executable as non-root. Fixes: f930cc500318 ("nftables: fix supression of "permission denied" errors") Signed-off-by: Pablo Neira Ayuso <pablo@xxxxxxxxxxxxx> --- Supersedes: https://patchwork.ozlabs.org/project/netfilter-devel/patch/20210623112628.1543-1-pablo@xxxxxxxxxxxxx/ src/libnftables.c | 6 ++++++ 1 file changed, 6 insertions(+) diff --git a/src/libnftables.c b/src/libnftables.c index e080eb032770..2378f7dd76fb 100644 --- a/src/libnftables.c +++ b/src/libnftables.c @@ -89,6 +89,12 @@ static int nft_netlink(struct nft_ctx *nft, last_seqnum = UINT32_MAX; } } + /* nfnetlink uses the first netlink message header in the batch whose + * sequence number is zero to report for EOPNOTSUPP and EPERM errors in + * some scenarios. Now it is safe to release here. + */ + list_for_each_entry_safe(err, tmp, &err_list, head) + mnl_err_list_free(err); out: mnl_batch_reset(ctx.batch); return ret; -- 2.30.2