From 08c9bfc99382a60b6656ddb25ffdf4baee4df65d Mon Sep 17 00:00:00 2001
From: Alvaro Neira <alvaroneay@gmail.com>
Date: Wed, 11 Feb 2015 22:12:22 +0100
Subject: ruleset: fix leak in json/xml in set lists

==18632== 285 (16 direct, 269 indirect) bytes in 1 blocks are definitely lost in loss record 6 of 6
==18632==    at 0x4C272B8: calloc (vg_replace_malloc.c:566)
==18632==    by 0x5043822: nft_set_list_alloc (set.c:977)
==18632==    by 0x5045483: nft_ruleset_json_parse (ruleset.c:442)
==18632==    by 0x50458BE: nft_ruleset_do_parse (ruleset.c:696)
==18632==    by 0x408AEC: do_command (rule.c:1317)
==18632==    by 0x406B05: nft_run (main.c:194)
==18632==    by 0x40667C: main (main.c:360)

Signed-off-by: Alvaro Neira Ayuso <alvaroneay@gmail.com>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
---
 src/ruleset.c | 24 ++++++++++++++----------
 1 file changed, 14 insertions(+), 10 deletions(-)

(limited to 'src/ruleset.c')

diff --git a/src/ruleset.c b/src/ruleset.c
index 15e84cf..f5b6d55 100644
--- a/src/ruleset.c
+++ b/src/ruleset.c
@@ -439,10 +439,6 @@ static int nft_ruleset_json_parse_ruleset(struct nft_parse_ctx *ctx,
 	json_t *node, *array = ctx->json;
 	int len, i, ret;
 
-	ctx->set_list = nft_set_list_alloc();
-	if (ctx->set_list == NULL)
-		return -1;
-
 	len = json_array_size(array);
 	for (i = 0; i < len; i++) {
 		node = json_array_get(array, i);
@@ -525,12 +521,16 @@ static int nft_ruleset_json_parse(const void *json,
 	ctx.cb = cb;
 	ctx.format = type;
 
+	ctx.set_list = nft_set_list_alloc();
+	if (ctx.set_list == NULL)
+		return -1;
+
 	if (arg != NULL)
 		nft_ruleset_ctx_set(&ctx, NFT_RULESET_CTX_DATA, arg);
 
 	root = nft_jansson_create_root(json, &error, err, input);
 	if (root == NULL)
-		return -1;
+		goto err;
 
 	array = json_object_get(root, "nftables");
 	if (array == NULL) {
@@ -554,9 +554,11 @@ static int nft_ruleset_json_parse(const void *json,
 			goto err;
 	}
 
+	nft_set_list_free(ctx.set_list);
 	nft_jansson_free_root(root);
 	return 0;
 err:
+	nft_set_list_free(ctx.set_list);
 	nft_jansson_free_root(root);
 	return -1;
 #else
@@ -573,10 +575,6 @@ static int nft_ruleset_xml_parse_ruleset(struct nft_parse_ctx *ctx,
 	mxml_node_t *node, *array = ctx->xml;
 	int len = 0, ret;
 
-	ctx->set_list = nft_set_list_alloc();
-	if (ctx->set_list == NULL)
-		return -1;
-
 	for (node = mxmlFindElement(array, array, NULL, NULL, NULL,
 				    MXML_DESCEND_FIRST);
 	     node != NULL;
@@ -653,12 +651,16 @@ static int nft_ruleset_xml_parse(const void *xml, struct nft_parse_err *err,
 	ctx.cb = cb;
 	ctx.format = type;
 
+	ctx.set_list = nft_set_list_alloc();
+	if (ctx.set_list == NULL)
+		return -1;
+
 	if (arg != NULL)
 		nft_ruleset_ctx_set(&ctx, NFT_RULESET_CTX_DATA, arg);
 
 	tree = nft_mxml_build_tree(xml, "nftables", err, input);
 	if (tree == NULL)
-		return -1;
+		goto err;
 
 	ctx.xml = tree;
 
@@ -670,9 +672,11 @@ static int nft_ruleset_xml_parse(const void *xml, struct nft_parse_err *err,
 		nodecmd = mxmlWalkNext(tree, tree, MXML_NO_DESCEND);
 	}
 
+	nft_set_list_free(ctx.set_list);
 	mxmlDelete(tree);
 	return 0;
 err:
+	nft_set_list_free(ctx.set_list);
 	mxmlDelete(tree);
 	return -1;
 #else
-- 
cgit v1.2.3