From 97bf4e68fc0794adba3243fd96f40f4568e7216f Mon Sep 17 00:00:00 2001 From: Phil Sutter Date: Fri, 7 Oct 2022 18:29:07 +0200 Subject: libiptc: Fix for segfault when renaming a chain This is an odd bug: If the number of chains is right and one renames the last one in the list, libiptc dereferences a NULL pointer. Add fix and test case for it. Fixes: 64ff47cde38e4 ("libiptc: fix chain rename bug in libiptc") Reported-by: Julien Castets Signed-off-by: Phil Sutter --- libiptc/libiptc.c | 9 +++++++++ 1 file changed, 9 insertions(+) (limited to 'libiptc/libiptc.c') diff --git a/libiptc/libiptc.c b/libiptc/libiptc.c index ceeb017b..97823f93 100644 --- a/libiptc/libiptc.c +++ b/libiptc/libiptc.c @@ -606,6 +606,15 @@ static int iptcc_chain_index_delete_chain(struct chain_head *c, struct xtc_handl if (index_ptr == &c->list) { /* Chain used as index ptr */ + /* If this is the last chain in the list, its index bucket just + * became empty. Adjust the size to avoid a NULL-pointer deref + * later. + */ + if (next == &h->chains) { + h->chain_index_sz--; + return 0; + } + /* See if its possible to avoid a rebuild, by shifting * to next pointer. Its possible if the next pointer * is located in the same index bucket. -- cgit v1.2.3