libnftables: fix memleak when first message in batch is used to report error

The err->seqnum == batch_seqnum case results in a memleak of mnl_err
objects under some scenarios such as nf_tables kernel support is not
available or user runs the nft executable as non-root.

Fixes: f930cc500318 ("nftables: fix supression of "permission denied" errors")
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>

diff --git a/src/libnftables.c b/src/libnftables.c
index e080eb03277082eec7236b300a59bc7c5a3c5217..e3b6ff0ae8d3658583bdef514e5d5f541567ea82 100644 (file)
--- a/src/libnftables.c
+++ b/src/libnftables.c
@@ -89,6 +89,12 @@ static int nft_netlink(struct nft_ctx *nft,
                        last_seqnum = UINT32_MAX;
                }
        }
+       /* nfnetlink uses the first netlink message header in the batch whose
+        * sequence number is zero to report for EOPNOTSUPP and EPERM errors in
+        * some scenarios. Now it is safe to release pending errors here.
+        */
+       list_for_each_entry_safe(err, tmp, &err_list, head)
+               mnl_err_list_free(err);
 out:
        mnl_batch_reset(ctx.batch);
        return ret;