On Sat, Sep 23, 2023 at 03:38:04AM +0200, Phil Sutter wrote:
[...]
> +static int nf_tables_getrule_reset(struct sk_buff *skb,
> + const struct nfnl_info *info,
> + const struct nlattr * const nla[])
> +{
> + struct nftables_pernet *nft_net = nft_pernet(info->net);
> + u8 family = info->nfmsg->nfgen_family;
> + u32 portid = NETLINK_CB(skb).portid;
> + char *tablename, *buf;
> + struct sk_buff *skb2;
> +
> + if (info->nlh->nlmsg_flags & NLM_F_DUMP) {
> + struct netlink_dump_control c = {
> + .start= nf_tables_dumpreset_rules_start,
> + .dump = nf_tables_dumpreset_rules,
> + .done = nf_tables_dump_rules_done,
> + .module = THIS_MODULE,
> + .data = (void *)nla,
> + };
> +
> + return nft_netlink_dump_start_rcu(info->sk, skb, info->nlh, &c);
> + }
> +
> + if (!nla[NFTA_RULE_TABLE])
> + return -EINVAL;
> +
> + tablename = nla_strdup(nla[NFTA_RULE_TABLE], GFP_ATOMIC);
> + if (!tablename)
> + return -ENOMEM;
> +
> + spin_lock(&nft_net->reset_lock);
> + skb2 = nf_tables_getrule_single(portid, info, nla, true);
> + spin_unlock(&nft_net->reset_lock);
> + if (IS_ERR(skb2))
This leaks tablename?
> + return PTR_ERR(skb2);
> +
> + buf = kasprintf(GFP_ATOMIC, "%s:%u", tablename, nft_net->base_seq);
> + audit_log_nfcfg(buf, family, 1, AUDIT_NFT_OP_RULE_RESET, GFP_ATOMIC);
> + kfree(buf);
> + kfree(tablename);
> +
> + return nfnetlink_unicast(skb2, info->net, portid);
> }
>
> void nf_tables_rule_destroy(const struct nft_ctx *ctx, struct nft_rule *rule)
