From 5abac347532916f41254584e4590dc98a75ff716 Mon Sep 17 00:00:00 2001
From: Pablo Neira Ayuso <pablo@netfilter.org>
Date: Thu, 17 Jun 2021 17:01:54 +0200
Subject: netlink_delinearize: memleak when listing ct event rule

listing a ruleset containing:

	ct event set new,related,destroy,label

results in memleak:

 Direct leak of 3672 byte(s) in 27 object(s) allocated from:
    #0 0x7fa5465c0330 in __interceptor_malloc (/usr/lib/x86_64-linux-gnu/libasan.so.5+0xe9330)
    #1 0x7fa54233772c in xmalloc /home/.../devel/nftables/src/utils.c:36
    #2 0x7fa5423378eb in xzalloc /home/.../devel/nftables/src/utils.c:75
    #3 0x7fa5422488c6 in expr_alloc /home/.../devel/nftables/src/expression.c:45
    #4 0x7fa54224fb91 in binop_expr_alloc /home/.../devel/nftables/src/expression.c:698
    #5 0x7fa54224ddf8 in bitmask_expr_to_binops /home/.../devel/nftables/src/expression.c:512
    #6 0x7fa5423102ca in expr_postprocess /home/.../devel/nftables/src/netlink_delinearize.c:2448

Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
---
 src/netlink_delinearize.c | 11 +++++++----
 1 file changed, 7 insertions(+), 4 deletions(-)

diff --git a/src/netlink_delinearize.c b/src/netlink_delinearize.c
index 413ef6b4..58daa4e0 100644
--- a/src/netlink_delinearize.c
+++ b/src/netlink_delinearize.c
@@ -2879,8 +2879,9 @@ rule_maybe_reset_payload_deps(struct payload_dep_ctx *pdctx, enum stmt_types t)
 
 static void rule_parse_postprocess(struct netlink_parse_ctx *ctx, struct rule *rule)
 {
-	struct rule_pp_ctx rctx;
 	struct stmt *stmt, *next;
+	struct rule_pp_ctx rctx;
+	struct expr *expr;
 
 	memset(&rctx, 0, sizeof(rctx));
 	proto_ctx_init(&rctx.pctx, rule->handle.family, ctx->debug_mask);
@@ -2909,9 +2910,11 @@ static void rule_parse_postprocess(struct netlink_parse_ctx *ctx, struct rule *r
 				expr_postprocess(&rctx, &stmt->ct.expr);
 
 				if (stmt->ct.expr->etype == EXPR_BINOP &&
-				    stmt->ct.key == NFT_CT_EVENTMASK)
-					stmt->ct.expr = binop_tree_to_list(NULL,
-									   stmt->ct.expr);
+				    stmt->ct.key == NFT_CT_EVENTMASK) {
+					expr = binop_tree_to_list(NULL, stmt->ct.expr);
+					expr_free(stmt->ct.expr);
+					stmt->ct.expr = expr;
+				}
 			}
 			break;
 		case STMT_NAT:
-- 
cgit v1.2.3