From 172b660843501463a0894b0d2ca1dd48c898dc4d Mon Sep 17 00:00:00 2001
From: Pablo Neira Ayuso <pablo@netfilter.org>
Date: Thu, 11 Jan 2024 22:14:34 +0100
Subject: evaluate: release mpz type in expr_evaluate_list() error path

Detected when running:

 # nft -f tests/shell/testcases/bogons/nft-f/no_integer_basetype_crash
 ==383222==ERROR: LeakSanitizer: detected memory leaks

 Direct leak of 8 byte(s) in 1 object(s) allocated from:
    #0 0x7fe7b54a9e8f in __interceptor_malloc ../../../../src/libsanitizer/asan/asan_malloc_linux.cpp:145
    #1 0x7fe7b538b9a9 in __gmp_default_allocate (/lib/x86_64-linux-gnu/libgmp.so.10+0xc9a9)

Fixes: 3671c4897003 ("evaluate: guard against NULL basetype")
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
---
 src/evaluate.c | 12 +++++++++---
 1 file changed, 9 insertions(+), 3 deletions(-)

(limited to 'src/evaluate.c')

diff --git a/src/evaluate.c b/src/evaluate.c
index 6c29579f..3b366166 100644
--- a/src/evaluate.c
+++ b/src/evaluate.c
@@ -1695,16 +1695,22 @@ static int expr_evaluate_list(struct eval_ctx *ctx, struct expr **expr)
 
 	mpz_init_set_ui(val, 0);
 	list_for_each_entry_safe(i, next, &list->expressions, list) {
-		if (list_member_evaluate(ctx, &i) < 0)
+		if (list_member_evaluate(ctx, &i) < 0) {
+			mpz_clear(val);
 			return -1;
-		if (i->etype != EXPR_VALUE)
+		}
+		if (i->etype != EXPR_VALUE) {
+			mpz_clear(val);
 			return expr_error(ctx->msgs, i,
 					  "List member must be a constant "
 					  "value");
-		if (datatype_basetype(i->dtype)->type != TYPE_BITMASK)
+		}
+		if (datatype_basetype(i->dtype)->type != TYPE_BITMASK) {
+			mpz_clear(val);
 			return expr_error(ctx->msgs, i,
 					  "Basetype of type %s is not bitmask",
 					  i->dtype->desc);
+		}
 		mpz_ior(val, val, i->value);
 	}
 
-- 
cgit v1.2.3