1From aa0c54030300441e9fd66c7016d0090f6736d449 Mon Sep 17 00:00:00 2001 2From: Phil Sutter <phil@nwl.cc> 3Date: Fri, 25 Nov 2022 21:21:22 +0100 4Subject: [PATCH] nft: Plug memleak in nft_rule_zero_counters() 5 6When zeroing a specific rule, valgrind reports: 7 840 bytes in 1 blocks are definitely lost in loss record 1 of 1 9 at 0x484659F: calloc (vg_replace_malloc.c:1328) 10 by 0x48DE128: xtables_calloc (xtables.c:434) 11 by 0x11C7C6: nft_parse_immediate (nft-shared.c:1071) 12 by 0x11C7C6: nft_rule_to_iptables_command_state (nft-shared.c:1236) 13 by 0x119AF5: nft_rule_zero_counters (nft.c:2877) 14 by 0x11A3CA: nft_prepare (nft.c:3445) 15 by 0x11A7A8: nft_commit (nft.c:3479) 16 by 0x114258: xtables_main.isra.0 (xtables-standalone.c:94) 17 by 0x1142D9: xtables_ip6_main (xtables-standalone.c:118) 18 by 0x49F2349: (below main) (in /lib64/libc.so.6) 19 20Have to free the matches/target in populated iptables_command_state object 21again. While being at it, call the proper family_ops callbacks since this is 22family-agnostic code. 23 24Conflict: NA 25Reference: https://git.netfilter.org/iptables/commit?id=aa0c54030300441e9fd66c7016d0090f6736d449 26 27Fixes: a69cc575295ee ("xtables: allow to reset the counters of an existing rule") 28Signed-off-by: Phil Sutter <phil@nwl.cc> 29--- 30 iptables/nft.c | 5 +++-- 31 1 file changed, 3 insertions(+), 2 deletions(-) 32 33diff --git a/iptables/nft.c b/iptables/nft.c 34index 67c5877c..430888e8 100644 35--- a/iptables/nft.c 36+++ b/iptables/nft.c 37@@ -2874,10 +2874,11 @@ int nft_rule_zero_counters(struct nft_handle *h, const char *chain, 38 goto error; 39 } 40 41- nft_rule_to_iptables_command_state(h, r, &cs); 42- 43+ h->ops->rule_to_cs(h, r, &cs); 44 cs.counters.pcnt = cs.counters.bcnt = 0; 45 new_rule = nft_rule_new(h, chain, table, &cs); 46+ h->ops->clear_cs(&cs); 47+ 48 if (!new_rule) 49 return 1; 50 51-- 522.23.0 53