netfilter: nft_connlimit: memleak if nf_ct_netns_get() fails

Check if nf_ct_netns_get() fails then release the limit object
previously allocated via kmalloc().

Fixes: 37f319f37d90 ("netfilter: nft_connlimit: move stateful fields out of expression data")
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>

diff --git a/net/netfilter/nft_connlimit.c b/net/netfilter/nft_connlimit.c
index 7d00a14..3362417 100644 (file)
--- a/net/netfilter/nft_connlimit.c
+++ b/net/netfilter/nft_connlimit.c
@@ -62,6 +62,7 @@ static int nft_connlimit_do_init(const struct nft_ctx *ctx,
 {
        bool invert = false;
        u32 flags, limit;
+       int err;
 
        if (!tb[NFTA_CONNLIMIT_COUNT])
                return -EINVAL;
@@ -84,7 +85,15 @@ static int nft_connlimit_do_init(const struct nft_ctx *ctx,
        priv->limit     = limit;
        priv->invert    = invert;
 
-       return nf_ct_netns_get(ctx->net, ctx->family);
+       err = nf_ct_netns_get(ctx->net, ctx->family);
+       if (err < 0)
+               goto err_netns;
+
+       return 0;
+err_netns:
+       kfree(priv->list);
+
+       return err;
 }
 
 static void nft_connlimit_do_destroy(const struct nft_ctx *ctx,