diff options
| author | Phil Sutter <phil@nwl.cc> | 2020-05-06 13:33:20 +0200 |
|---|---|---|
| committer | Phil Sutter <phil@nwl.cc> | 2020-05-11 14:28:29 +0200 |
| commit | b199aca80da5741add50cce244492cc005230b66 (patch) | |
| tree | b770ea139885a8734725b3c729a87e14a3437157 | |
| parent | b3b7eb6ce8773bcc76f603ebb0e606001894da34 (diff) | |
nft: Fix leak when replacing a rule
If nft_rule_append() is called with a reference rule, it is supposed to
insert the new rule at the reference position and then remove the
reference from cache. Instead, it removed the new rule from cache again
right after inserting it. Also, it missed to free the removed rule.
Fixes: 5ca9acf51adf9 ("xtables: Fix position of replaced rules in cache")
Signed-off-by: Phil Sutter <phil@nwl.cc>
| -rw-r--r-- | iptables/nft.c | 3 |
1 files changed, 2 insertions, 1 deletions
diff --git a/iptables/nft.c b/iptables/nft.c index 01268f78..3c0daa8d 100644 --- a/iptables/nft.c +++ b/iptables/nft.c @@ -1429,7 +1429,8 @@ nft_rule_append(struct nft_handle *h, const char *chain, const char *table, if (ref) { nftnl_chain_rule_insert_at(r, ref); - nftnl_chain_rule_del(r); + nftnl_chain_rule_del(ref); + nftnl_rule_free(ref); } else { c = nft_chain_find(h, table, chain); if (!c) { |