nftables/backport-parser_bison-fix-memleak-in-meta-set-error-handling.patch

From 21608263cc1ae489326e743957bfe34b05414a44 Mon Sep 17 00:00:00 2001
From: Florian Westphal <fw@strlen.de>
Date: Fri, 8 Dec 2023 13:37:27 +0100
Subject: [PATCH] parser_bison: fix memleak in meta set error handling

We must release the expression here, found via afl++ and
-fsanitize-address build.

Signed-off-by: Florian Westphal <fw@strlen.de>
---
 src/parser_bison.y                                           | 1 +
 .../shell/testcases/bogons/nft-f/memleak_on_meta_set_errpath | 5 +++++
 2 files changed, 6 insertions(+)
 create mode 100644 tests/shell/testcases/bogons/nft-f/memleak_on_meta_set_errpath

diff --git a/src/parser_bison.y b/src/parser_bison.y
index 64946a43..70acfc57 100644
--- a/src/parser_bison.y
+++ b/src/parser_bison.y
@@ -4955,6 +4955,7 @@ meta_stmt		:	META	meta_key	SET	stmt_expr
 				xfree($2);
 				if (erec != NULL) {
 					erec_queue(erec, state->msgs);
+					expr_free($4);
 					YYERROR;
 				}
 
diff --git a/tests/shell/testcases/bogons/nft-f/memleak_on_meta_set_errpath b/tests/shell/testcases/bogons/nft-f/memleak_on_meta_set_errpath
new file mode 100644
index 00000000..917e8bf8
--- /dev/null
+++ b/tests/shell/testcases/bogons/nft-f/memleak_on_meta_set_errpath
@@ -0,0 +1,5 @@
+table filter {
+ chain y {
+  meta seccark set ct secmark
+ }
+}
-- 
2.33.0