[PATCH] Missing free on error in iptables 1.3.4

[PATCH] Missing free on error in iptables 1.3.4

[Marcus Sundberg]

Hi,

the patch below fixes a missing free() statement in TC_COMMIT(),
and moves the setting of errno to come right before the return.

//Marcus

--- iptables.4490/libiptc/libiptc.c	(revision 4490)
+++ iptables/libiptc/libiptc.c	(working copy)
@@ -2081,9 +2081,10 @@

  	ret = iptcc_compile_table(*handle, repl);
  	if (ret < 0) {
-		errno = ret;
  		free(repl->counters);
  		free(repl);
+		free(newcounters);
+		errno = ret;
  		return 0;
  	}


Signed-off-by: Marcus Sundberg <marcus@ingate.com>

-- 
---------------------------------------+--------------------------
   Marcus Sundberg <marcus@ingate.com>  | Firewalls with SIP & NAT
  Software Developer, Ingate Systems AB |  http://www.ingate.com/

Re: [PATCH] Missing free on error in iptables 1.3.4

[Harald Welte]

[-- Attachment #1: Type: text/plain, Size: 3001 bytes --]

On Wed, Nov 09, 2005 at 04:15:06PM +0100, Marcus Sundberg wrote:
> Hi,
> 
> the patch below fixes a missing free() statement in TC_COMMIT(),
> and moves the setting of errno to come right before the return.

thanks, I'm fixing this in a more general cleanup of the function error
path (see patch below)


Index: libiptc.c
===================================================================
--- libiptc.c	(revision 4510)
+++ libiptc.c	(working copy)
@@ -2034,13 +2034,13 @@
 	new_number = iptcc_compile_table_prep(*handle, &new_size);
 	if (new_number < 0) {
 		errno = ENOMEM;
-		return 0;
+		goto out_zero;
 	}
 
 	repl = malloc(sizeof(*repl) + new_size);
 	if (!repl) {
 		errno = ENOMEM;
-		return 0;
+		goto out_zero;
 	}
 	memset(repl, 0, sizeof(*repl) + new_size);
 
@@ -2055,17 +2055,14 @@
 	repl->counters = malloc(sizeof(STRUCT_COUNTERS)
 				* (*handle)->info.num_entries);
 	if (!repl->counters) {
-		free(repl);
 		errno = ENOMEM;
-		return 0;
+		goto out_free_repl;
 	}
 	/* These are the counters we're going to put back, later. */
 	newcounters = malloc(counterlen);
 	if (!newcounters) {
-		free(repl->counters);
-		free(repl);
 		errno = ENOMEM;
-		return 0;
+		goto out_free_repl_counters;
 	}
 	memset(newcounters, 0, counterlen);
 
@@ -2082,9 +2079,7 @@
 	ret = iptcc_compile_table(*handle, repl);
 	if (ret < 0) {
 		errno = ret;
-		free(repl->counters);
-		free(repl);
-		return 0;
+		goto out_free_newcounters;
 	}
 
 
@@ -2099,12 +2094,11 @@
 	}
 #endif
 
-	if (setsockopt(sockfd, TC_IPPROTO, SO_SET_REPLACE, repl,
-		       sizeof(*repl) + repl->size) < 0) {
-		free(repl->counters);
-		free(repl);
-		free(newcounters);
-		return 0;
+	ret = setsockopt(sockfd, TC_IPPROTO, SO_SET_REPLACE, repl,
+			 sizeof(*repl) + repl->size);
+	if (ret < 0) {
+		errno = ret;
+		goto out_free_newcounters;
 	}
 
 	/* Put counters back. */
@@ -2194,21 +2188,29 @@
 	}
 #endif
 
-	if (setsockopt(sockfd, TC_IPPROTO, SO_SET_ADD_COUNTERS,
-		       newcounters, counterlen) < 0) {
-		free(repl->counters);
-		free(repl);
-		free(newcounters);
-		return 0;
+	ret = setsockopt(sockfd, TC_IPPROTO, SO_SET_ADD_COUNTERS,
+			 newcounters, counterlen);
+	if (ret < 0) {
+		errno = ret;
+		goto out_free_newcounters;
 	}
 
 	free(repl->counters);
 	free(repl);
 	free(newcounters);
 
- finished:
+finished:
 	TC_FREE(handle);
 	return 1;
+
+out_free_newcounters:
+	free(newcounters);
+out_free_repl_counters:
+	free(repl->counters);
+out_free_repl:
+	free(repl);
+out_zero:
+	return 0;
 }
 
 /* Get raw socket. */
-- 
- Harald Welte <laforge@netfilter.org>                 http://netfilter.org/
============================================================================
  "Fragmentation is like classful addressing -- an interesting early
   architectural error that shows how much experimentation was going
   on while IP was being designed."                    -- Paul Vixie

[-- Attachment #2: Type: application/pgp-signature, Size: 189 bytes --]