nft: cache: Avoid double free of unrecognized base-chains

On error, nft_cache_add_chain() frees the allocated nft_chain object
along with the nftnl_chain it points at. Fix nftnl_chain_list_cb() to
not free the nftnl_chain again in that case.

Fixes: 176c92c26bfc9 ("nft: Introduce a dedicated base chain array")
Signed-off-by: Phil Sutter <phil@nwl.cc>

diff --git a/iptables/nft-cache.c b/iptables/nft-cache.c
index 2c88301cc74458925f13f6b81ca830b75b59f7d2..9a03bbfbb32bbb44a43dfd4bc76453c6e1e57f85 100644 (file)
--- a/iptables/nft-cache.c
+++ b/iptables/nft-cache.c
@@ -314,9 +314,7 @@ static int nftnl_chain_list_cb(const struct nlmsghdr *nlh, void *data)
                goto out;
        }
 
-       if (nft_cache_add_chain(h, t, c))
-               goto out;
-
+       nft_cache_add_chain(h, t, c);
        return MNL_CB_OK;
 out:
        nftnl_chain_free(c);

diff --git a/iptables/tests/shell/testcases/chain/0004extra-base_0 b/iptables/tests/shell/testcases/chain/0004extra-base_0
new file mode 100755 (executable)
index 0000000..1b85b06
--- /dev/null
+++ b/iptables/tests/shell/testcases/chain/0004extra-base_0
@@ -0,0 +1,27 @@
+#!/bin/bash
+
+case $XT_MULTI in
+*xtables-nft-multi)
+       ;;
+*)
+       echo skip $XT_MULTI
+       exit 0
+       ;;
+esac
+
+set -e
+
+nft -f - <<EOF
+table ip filter {
+        chain INPUT {
+                type filter hook input priority filter
+                counter packets 218 bytes 91375 accept
+        }
+
+        chain x {
+                type filter hook input priority filter
+        }
+}
+EOF
+
+$XT_MULTI iptables -L