xtables-standalone: call nft_fini in the error path

This error is shown with valgrind tools:

valgrind --leak-check=full xtables -A INPUT -i eth0 -p tcp --dport 80 -m state --state NEW,ESTABLISHED -j ACCEPT

==7377== 16 bytes in 1 blocks are still reachable in loss record 1 of 14
==7377==    at 0x4C2B514: calloc (vg_replace_malloc.c:593)
==7377==    by 0x574CC76: mnl_socket_open (socket.c:117)
==7377==    by 0x417495: nft_init (nft.c:598)
==7377==    by 0x4134C2: xtables_main (xtables-standalone.c:64)
==7377==    by 0x5B87994: (below main) (libc-start.c:260)

This patch calls nft_fini to release the objects that have been allocated in
nft_init. This function was not used so far.

Signed-off-by: Ana Rey <anarey@gmail.com>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>

diff --git a/iptables/xtables-standalone.c b/iptables/xtables-standalone.c
index cb685d641b320212f19615948a6bd1460a59ef3b..c9f8e15ab8b54ec3729dbd059a9c7218636a2eff 100644 (file)
--- a/iptables/xtables-standalone.c
+++ b/iptables/xtables-standalone.c
@@ -66,6 +66,7 @@ xtables_main(int argc, char *argv[])
                                xtables_globals.program_name,
                                xtables_globals.program_version,
                                strerror(errno));
+               nft_fini(&h);
                exit(EXIT_FAILURE);
        }
 
@@ -73,6 +74,8 @@ xtables_main(int argc, char *argv[])
        if (ret)
                ret = nft_commit(&h);
 
+       nft_fini(&h);
+
        if (!ret) {
                if (errno == EINVAL) {
                        fprintf(stderr, "iptables: %s. "