xtables: Fix potential segfault in nft_rule_append()

If batch_rule_add() failed (ENOMEM), nft_rule_append() frees the
rule and then tries to add it to the rule cache. Better return 0
(failure) instead of continuing.

Signed-off-by: Phil Sutter <phil@nwl.cc>
Signed-off-by: Florian Westphal <fw@strlen.de>

diff --git a/iptables/nft.c b/iptables/nft.c
index b893859d286607dc9fa3e21d67271ca2a2e84a5f..1c076510962b3f4e40dd459d8907c6c1f0e38749 100644 (file)
--- a/iptables/nft.c
+++ b/iptables/nft.c
@@ -1173,8 +1173,10 @@ nft_rule_append(struct nft_handle *h, const char *chain, const char *table,
        } else
                type = NFT_COMPAT_RULE_APPEND;
 
-       if (batch_rule_add(h, type, r) < 0)
+       if (batch_rule_add(h, type, r) < 0) {
                nftnl_rule_free(r);
+               return 0;
+       }
 
        if (verbose)
                h->ops->print_rule(r, 0, FMT_PRINT_RULE);