Commit 9dd732e0 authored by Pablo Neira Ayuso's avatar Pablo Neira Ayuso
Browse files

netfilter: nf_tables: memleak flow rule from commit path 



Abort path release flow rule object, however, commit path does not.
Update code to destroy these objects before releasing the transaction.

Fixes: c9626a2c ("netfilter: nf_tables: add hardware offload support")
Signed-off-by: default avatarPablo Neira Ayuso <pablo@netfilter.org>
parent c271cc9f

net/netfilter/nf_tables_api.c

+6 −0
Original line number Diff line number Diff line
@@ -8329,6 +8329,9 @@ static void nft_commit_release(struct nft_trans *trans) 
		nf_tables_chain_destroy(&trans->ctx);

		break;

	case NFT_MSG_DELRULE:

		if (trans->ctx.chain->flags & NFT_CHAIN_HW_OFFLOAD)

			nft_flow_rule_destroy(nft_trans_flow_rule(trans));



		nf_tables_rule_destroy(&trans->ctx, nft_trans_rule(trans));

		break;

	case NFT_MSG_DELSET:
@@ -8817,6 +8820,9 @@ static int nf_tables_commit(struct net *net, struct sk_buff *skb) 
			nf_tables_rule_notify(&trans->ctx,

					      nft_trans_rule(trans),

					      NFT_MSG_NEWRULE);

			if (trans->ctx.chain->flags & NFT_CHAIN_HW_OFFLOAD)

				nft_flow_rule_destroy(nft_trans_flow_rule(trans));



			nft_trans_destroy(trans);

			break;

		case NFT_MSG_DELRULE: