libnftables: Print errors before freeing commands

Commands may contain data printed by an error record, so make sure
cmd_free() is not called before erec_print_list() has returned.

Fixes: 778de37d82e7b ("libnftables: Keep cmds list outside of parser_state")
Signed-off-by: Phil Sutter <phil@nwl.cc>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>

diff --git a/src/libnftables.c b/src/libnftables.c
index bd79cd6091d259c5cfeff4424587c308b5964bfa..2271d270fd574047ed2cdf5668e9bae032b2f504 100644 (file)
--- a/src/libnftables.c
+++ b/src/libnftables.c
@@ -398,11 +398,11 @@ int nft_run_cmd_from_buffer(struct nft_ctx *nft, const char *buf)
        if (nft_netlink(nft, &cmds, &msgs, nft->nf_sock) != 0)
                rc = -1;
 err:
+       erec_print_list(&nft->output, &msgs, nft->debug_mask);
        list_for_each_entry_safe(cmd, next, &cmds, list) {
                list_del(&cmd->list);
                cmd_free(cmd);
        }
-       erec_print_list(&nft->output, &msgs, nft->debug_mask);
        iface_cache_release();
        if (nft->scanner) {
                scanner_destroy(nft->scanner);
@@ -442,11 +442,11 @@ int nft_run_cmd_from_filename(struct nft_ctx *nft, const char *filename)
        if (nft_netlink(nft, &cmds, &msgs, nft->nf_sock) != 0)
                rc = -1;
 err:
+       erec_print_list(&nft->output, &msgs, nft->debug_mask);
        list_for_each_entry_safe(cmd, next, &cmds, list) {
                list_del(&cmd->list);
                cmd_free(cmd);
        }
-       erec_print_list(&nft->output, &msgs, nft->debug_mask);
        iface_cache_release();
        if (nft->scanner) {
                scanner_destroy(nft->scanner);