netfilter: nft_limit: fix stateful object memory leak

commit 1a58f84ea5df7f026bf92a0009f931bf547fe965 upstream.

We need to provide a destroy callback to release the extra fields.

Fixes: 3b9e2ea6c11b ("netfilter: nft_limit: move stateful fields out of expression data")
Signed-off-by: Florian Westphal <fw@strlen.de>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

diff --git a/net/netfilter/nft_limit.c b/net/netfilter/nft_limit.c
index 99846a536f2f06642759ca02d69015f9f2908f43..56b51f1ef1ebe6915176c0c41831409ea9a93a8f 100644 (file)
--- a/net/netfilter/nft_limit.c
+++ b/net/netfilter/nft_limit.c
@@ -345,11 +345,20 @@ static int nft_limit_obj_pkts_dump(struct sk_buff *skb,
        return nft_limit_dump(skb, &priv->limit, NFT_LIMIT_PKTS);
 }
 
+static void nft_limit_obj_pkts_destroy(const struct nft_ctx *ctx,
+                                      struct nft_object *obj)
+{
+       struct nft_limit_priv_pkts *priv = nft_obj_data(obj);
+
+       nft_limit_destroy(ctx, &priv->limit);
+}
+
 static struct nft_object_type nft_limit_obj_type;
 static const struct nft_object_ops nft_limit_obj_pkts_ops = {
        .type           = &nft_limit_obj_type,
        .size           = NFT_EXPR_SIZE(sizeof(struct nft_limit_priv_pkts)),
        .init           = nft_limit_obj_pkts_init,
+       .destroy        = nft_limit_obj_pkts_destroy,
        .eval           = nft_limit_obj_pkts_eval,
        .dump           = nft_limit_obj_pkts_dump,
 };
@@ -383,11 +392,20 @@ static int nft_limit_obj_bytes_dump(struct sk_buff *skb,
        return nft_limit_dump(skb, priv, NFT_LIMIT_PKT_BYTES);
 }
 
+static void nft_limit_obj_bytes_destroy(const struct nft_ctx *ctx,
+                                       struct nft_object *obj)
+{
+       struct nft_limit_priv *priv = nft_obj_data(obj);
+
+       nft_limit_destroy(ctx, priv);
+}
+
 static struct nft_object_type nft_limit_obj_type;
 static const struct nft_object_ops nft_limit_obj_bytes_ops = {
        .type           = &nft_limit_obj_type,
        .size           = sizeof(struct nft_limit_priv),
        .init           = nft_limit_obj_bytes_init,
+       .destroy        = nft_limit_obj_bytes_destroy,
        .eval           = nft_limit_obj_bytes_eval,
        .dump           = nft_limit_obj_bytes_dump,
 };