src: file descriptor leak in include_file()

File that contains the ruleset is never closed, track open files through
the nft_ctx object and close them accordingly.

Reported-by: Václav Zindulka <vaclav.zindulka@tlapnet.cz>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>

2 files changed, 6 insertions, 3 deletions

diff --git a/include/nftables.h b/include/nftables.h
index 5c029261..b17a16a4 100644
--- a/include/nftables.h
+++ b/include/nftables.h
@@ -86,6 +86,8 @@ struct nft_cache {
 struct mnl_socket;
 struct parser_state;
 
+#define MAX_INCLUDE_DEPTH	16
+
 struct nft_ctx {
 	struct mnl_socket	*nf_sock;
 	char			**include_paths;
@@ -99,6 +101,7 @@ struct nft_ctx {
 	struct parser_state	*state;
 	void			*scanner;
 	void			*json_root;
+	FILE			*f[MAX_INCLUDE_DEPTH];
 };
 
 enum nftables_exit_codes {
diff --git a/include/parser.h b/include/parser.h
index ea41ca03..8e57899e 100644
--- a/include/parser.h
+++ b/include/parser.h
@@ -3,8 +3,8 @@
 
 #include <list.h>
 #include <rule.h> // FIXME
+#include <nftables.h>
 
-#define MAX_INCLUDE_DEPTH		16
 #define TABSIZE				8
 
 #define YYLTYPE				struct location
@@ -36,9 +36,9 @@ extern void parser_init(struct nft_ctx *nft, struct parser_state *state,
 extern int nft_parse(struct nft_ctx *ctx, void *, struct parser_state *state);
 
 extern void *scanner_init(struct parser_state *state);
-extern void scanner_destroy(void *scanner);
+extern void scanner_destroy(struct nft_ctx *nft);
 
-extern int scanner_read_file(void *scanner, const char *filename,
+extern int scanner_read_file(struct nft_ctx *nft, const char *filename,
 			     const struct location *loc);
 extern int scanner_include_file(struct nft_ctx *ctx, void *scanner,
 				const char *filename,