iptables-xml: Fix segfault on jump without a target

As reported in Bugzilla #1152, a segfault occurs in iptables-xml if a
jump or goto argument lacks a target argument. The following input will
segfault:
*filter
:INPUT ACCEPT [0:0]
-A INPUT -p tcp --dport 2200 -j

Problem occurs in do_rule_part, where the existsChain() function is called
with argv[arg + 1]. If the jump/goto argument is the last argument, then
arg + 1 is out of the array bounds. The fix ensures that arg + 1 is within
the array bounds before the call to existsChain() is made.

Signed-off-by: Oliver Ford <ojford@gmail.com>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>

1 files changed, 3 insertions, 6 deletions

diff --git a/iptables/iptables-xml.c b/iptables/iptables-xml.c
index 56b8372b..49674ec1 100644
--- a/iptables/iptables-xml.c
+++ b/iptables/iptables-xml.c
@@ -426,12 +426,9 @@ do_rule_part(char *leveltag1, char *leveltag2, int part, int argc,
 			else
 				printf("%s%s", spacer, argv[arg]);
 			spacer = " ";
-		} else if (!argvattr[arg] && isTarget(argv[arg])
-			   && existsChain(argv[arg + 1])
-			   && (2 + arg >= argc)) {
-			if (!((1 + arg) < argc))
-				// no args to -j, -m or -g, ignore & finish loop
-				break;
+		} else if (!argvattr[arg] && isTarget(argv[arg]) &&
+			   (arg + 1 < argc) &&
+			   existsChain(argv[arg + 1])) {
 			CLOSE_LEVEL(2);
 			if (level1)
 				printf("%s", leveli1);