From 25d8f60537cd6a700b15941032a2b93066938af3 Mon Sep 17 00:00:00 2001
From: Phil Sutter <phil@nwl.cc>
Date: Tue, 26 Feb 2019 22:13:38 +0100
Subject: [PATCH] libnftables: Print errors before freeing commands

Commands may contain data printed by an error record, so make sure
cmd_free() is not called before erec_print_list() has returned.

Fixes: 778de37d82e7b ("libnftables: Keep cmds list outside of parser_state")
Signed-off-by: Phil Sutter <phil@nwl.cc>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
(cherry picked from commit a0da4c5bbf0d741fb815a977c945afe1b9a0739f)
Signed-off-by: Phil Sutter <psutter@redhat.com>
---
 src/libnftables.c | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/src/libnftables.c b/src/libnftables.c
index 640693df93755..5ca8236d8ba03 100644
--- a/src/libnftables.c
+++ b/src/libnftables.c
@@ -457,11 +457,11 @@ int nft_run_cmd_from_buffer(struct nft_ctx *nft, char *buf, size_t buflen)
 	if (nft_netlink(nft, &cmds, &msgs, nft->nf_sock) != 0)
 		rc = -1;
 err:
+	erec_print_list(&nft->output, &msgs, nft->debug_mask);
 	list_for_each_entry_safe(cmd, next, &cmds, list) {
 		list_del(&cmd->list);
 		cmd_free(cmd);
 	}
-	erec_print_list(&nft->output, &msgs, nft->debug_mask);
 	iface_cache_release();
 	if (nft->scanner) {
 		scanner_destroy(nft->scanner);
@@ -497,11 +497,11 @@ int nft_run_cmd_from_filename(struct nft_ctx *nft, const char *filename)
 	if (nft_netlink(nft, &cmds, &msgs, nft->nf_sock) != 0)
 		rc = -1;
 err:
+	erec_print_list(&nft->output, &msgs, nft->debug_mask);
 	list_for_each_entry_safe(cmd, next, &cmds, list) {
 		list_del(&cmd->list);
 		cmd_free(cmd);
 	}
-	erec_print_list(&nft->output, &msgs, nft->debug_mask);
 	iface_cache_release();
 	if (nft->scanner) {
 		scanner_destroy(nft->scanner);
-- 
2.21.0