From e2c0529c7fe40be9f3f3c0131d26f44fe8fdc408 Mon Sep 17 00:00:00 2001
From: Pablo Neira Ayuso <pablo@netfilter.org>
Date: Thu, 17 Jun 2021 02:58:09 +0200
Subject: netlink_delinearize: memleak in string netlink postprocessing

Listing a matching wilcard string results in a memleak: ifname "dummy*"

Direct leak of 136 byte(s) in 1 object(s) allocated from:
    #0 0x7f27ba52e330 in __interceptor_malloc (/usr/lib/x86_64-linux-gnu/libasan.so.5+0xe9330)
    #1 0x7f27b9e1d434 in xmalloc /home/.../devel/nftables/src/utils.c:36
    #2 0x7f27b9e1d5f3 in xzalloc /home/.../devel/nftables/src/utils.c:75
    #3 0x7f27b9d2e8c6 in expr_alloc /home/.../devel/nftables/src/expression.c:45
    #4 0x7f27b9d326e9 in constant_expr_alloc /home/.../devel/nftables/src/expression.c:419
    #5 0x7f27b9db9318 in netlink_alloc_value /home/.../devel/nftables/src/netlink.c:390
    #6 0x7f27b9de0433 in netlink_parse_cmp /home/.../devel/nftables/src/netlink_delinearize.c:321
    #7 0x7f27b9deb025 in netlink_parse_expr /home/.../devel/nftables/src/netlink_delinearize.c:1764
    #8 0x7f27b9deb0de in netlink_parse_rule_expr /home/.../devel/nftables/src/netlink_delinearize.c:1776
    #9 0x7f27b860af7b in nftnl_expr_foreach /home/.../devel/libnftnl/src/rule.c:690

Direct leak of 8 byte(s) in 1 object(s) allocated from:
    #0 0x7f27ba52e330 in __interceptor_malloc (/usr/lib/x86_64-linux-gnu/libasan.so.5+0xe9330)
    #1 0x7f27b9e1d434 in xmalloc /home/.../devel/nftables/src/utils.c:36
    #2 0x7f27b96975c5 in __gmpz_init2 (/usr/lib/x86_64-linux-gnu/libgmp.so.10+0x1c5c5)

Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
---
 src/netlink_delinearize.c | 2 ++
 1 file changed, 2 insertions(+)

(limited to 'src')

diff --git a/src/netlink_delinearize.c b/src/netlink_delinearize.c
index 952e2be5..413ef6b4 100644
--- a/src/netlink_delinearize.c
+++ b/src/netlink_delinearize.c
@@ -2394,8 +2394,10 @@ static struct expr *expr_postprocess_string(struct expr *expr)
 	mask = constant_expr_alloc(&expr->location, &integer_type,
 				   BYTEORDER_HOST_ENDIAN,
 				   expr->len + BITS_PER_BYTE, NULL);
+	mpz_clear(mask->value);
 	mpz_init_bitmask(mask->value, expr->len);
 	out = string_wildcard_expr_alloc(&expr->location, mask, expr);
+	expr_free(expr);
 	expr_free(mask);
 	return out;
 }
-- 
cgit v1.2.3