On Wed, Jul 23, 2025 at 05:00:11PM +0200, Florian Westphal wrote: > When the hook location is invalid we error out but we do leak both > the priority expression and the flowtable name. Example: > > valgrind --leak-check=full nft -f flowtable-parser-err-memleak > [..] Error: unknown chain hook > hook enoent priority filter + 10 > ^^^^^^ > [..] > 2 bytes in 1 blocks are definitely lost in loss record 1 of 3 > at: malloc (vg_replace_malloc.c:446) > by: strdup (in libc.so.6) > by: xstrdup (in libnftables.so.1.1.0) > by: nft_lex (in libnftables.so.1.1.0) > by: nft_parse (in libnftables.so.1.1.0) > by: __nft_run_cmd_from_filename (in libnftables.so.1.1.0) > by: nft_run_cmd_from_filename (in libnftables.so.1.1.0) > > First two reports are due to the priority expression: this needs to call > expr_free(). Third report is due to the flowtable name, the destructor > was missing so add one. > > After fix: > All heap blocks were freed -- no leaks are possible > > Signed-off-by: Florian Westphal <fw@xxxxxxxxx> Reviewed-by: Pablo Neira Ayuso <pablo@xxxxxxxxxxxxx> Thanks
