From 8bee0db39f7553589c2cec58cc92ed2eafd2eb57 Mon Sep 17 00:00:00 2001 From: Phil Sutter Date: Fri, 25 Nov 2022 21:44:39 +0100 Subject: iptables: Properly clear iptables_command_state object When adding a rule with a target which defines a udata_size, valgrind prints: 8 bytes in 1 blocks are definitely lost in loss record 1 of 1 at 0x484659F: calloc (vg_replace_malloc.c:1328) by 0x486B128: xtables_calloc (xtables.c:434) by 0x1128B4: xs_init_target (xshared.c:238) by 0x113CD3: command_jump (xshared.c:877) by 0x114969: do_parse (xshared.c:1644) by 0x10EEB9: do_command4 (iptables.c:691) by 0x10E45B: iptables_main (iptables-standalone.c:59) by 0x49A2349: (below main) (in /lib64/libc.so.6) It is not sufficient to free cs.target->t, so call xtables_clear_iptables_command_state() which takes care of all the details. Fixes: 2dba676b68ef8 ("extensions: support for per-extension instance "global" variable space") Signed-off-by: Phil Sutter --- iptables/ip6tables.c | 3 +-- iptables/iptables.c | 3 +-- 2 files changed, 2 insertions(+), 4 deletions(-) diff --git a/iptables/ip6tables.c b/iptables/ip6tables.c index 1d232657..345af451 100644 --- a/iptables/ip6tables.c +++ b/iptables/ip6tables.c @@ -778,7 +778,6 @@ int do_command6(int argc, char *argv[], char **table, xtables_find_target(cs.jumpto, XTF_LOAD_MUST_SUCCEED); } else { e = generate_entry(&cs.fw6, cs.matches, cs.target->t); - free(cs.target->t); } } @@ -880,7 +879,7 @@ int do_command6(int argc, char *argv[], char **table, if (verbose > 1) dump_entries6(*handle); - xtables_rule_matches_free(&cs.matches); + xtables_clear_iptables_command_state(&cs); if (e != NULL) { free(e); diff --git a/iptables/iptables.c b/iptables/iptables.c index d246198f..6f7b3476 100644 --- a/iptables/iptables.c +++ b/iptables/iptables.c @@ -773,7 +773,6 @@ int do_command4(int argc, char *argv[], char **table, xtables_find_target(cs.jumpto, XTF_LOAD_MUST_SUCCEED); } else { e = generate_entry(&cs.fw, cs.matches, cs.target->t); - free(cs.target->t); } } @@ -875,7 +874,7 @@ int do_command4(int argc, char *argv[], char **table, if (verbose > 1) dump_entries(*handle); - xtables_rule_matches_free(&cs.matches); + xtables_clear_iptables_command_state(&cs); if (e != NULL) { free(e); -- cgit v1.2.3