From: Phil Sutter <phil@nwl.cc>
Date: Wed, 6 May 2020 11:33:20 +0000 (+0200)
Subject: nft: Fix leak when replacing a rule
X-Git-Tag: v1.8.5~12
X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=b199aca80da5741add50cce244492cc005230b66;p=thirdparty%2Fiptables.git

nft: Fix leak when replacing a rule

If nft_rule_append() is called with a reference rule, it is supposed to
insert the new rule at the reference position and then remove the
reference from cache. Instead, it removed the new rule from cache again
right after inserting it. Also, it missed to free the removed rule.

Fixes: 5ca9acf51adf9 ("xtables: Fix position of replaced rules in cache")
Signed-off-by: Phil Sutter <phil@nwl.cc>
---

diff --git a/iptables/nft.c b/iptables/nft.c
index 01268f78..3c0daa8d 100644
--- a/iptables/nft.c
+++ b/iptables/nft.c
@@ -1429,7 +1429,8 @@ nft_rule_append(struct nft_handle *h, const char *chain, const char *table,
 
 	if (ref) {
 		nftnl_chain_rule_insert_at(r, ref);
-		nftnl_chain_rule_del(r);
+		nftnl_chain_rule_del(ref);
+		nftnl_rule_free(ref);
 	} else {
 		c = nft_chain_find(h, table, chain);
 		if (!c) {