xtables: Don't leak iter in error path of __nft_chain_zero_counters()

If batch_rule_add() fails, this function leaked the rule iterator
object.

Fixes: 4c54c892443c2 ("xtables: Catch errors when zeroing rule rounters")
Signed-off-by: Phil Sutter <phil@nwl.cc>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>

diff --git a/iptables/nft.c b/iptables/nft.c
index 6354b7e8e72fecebf31c9c68a576b3b6ebb14fe8..dab1db59ec971f05fe0cd7dced7c279a6f35029d 100644 (file)
--- a/iptables/nft.c
+++ b/iptables/nft.c
@@ -3374,8 +3374,10 @@ static int __nft_chain_zero_counters(struct nftnl_chain *c, void *data)
                         * rule based on its handle only.
                         */
                        nftnl_rule_unset(r, NFTNL_RULE_POSITION);
-                       if (!batch_rule_add(h, NFT_COMPAT_RULE_REPLACE, r))
+                       if (!batch_rule_add(h, NFT_COMPAT_RULE_REPLACE, r)) {
+                               nftnl_rule_iter_destroy(iter);
                                return -1;
+                       }
                }
                r = nftnl_rule_iter_next(iter);
        }