diff options
authorPhil Oester <>2014-01-23 22:06:58 -0800
committerPablo Neira Ayuso <>2014-01-29 20:16:08 +0100
commitf53b78e423d82b0c71c076480f52edeb5eaec5f8 (patch)
parenta0e224be48300b308a02f7bf898f0838463a7305 (diff)
iptables-xml: fix segfault if missing space after -A
As pointed out by Bernhard Reutner-Fischer, a malformed line fed to iptables-xml such as the below with a missing space after the -A: -APOSTROUTING -d -p tcp -j MASQUERADE causes a segfault. Patch attached. This closes netfilter bugzilla #886. Signed-off-by: Phil Oester <> Signed-off-by: Pablo Neira Ayuso <>
1 files changed, 5 insertions, 0 deletions
diff --git a/iptables/iptables-xml.c b/iptables/iptables-xml.c
index 96284476..c7615abb 100644
--- a/iptables/iptables-xml.c
+++ b/iptables/iptables-xml.c
@@ -845,6 +845,11 @@ iptables_xml_main(int argc, char *argv[])
for (a = 0; a < newargc; a++)
DEBUGP("argv[%u]: %s\n", a, newargv[a]);
+ if (!chain) {
+ fprintf(stderr, "%s: line %u failed - no chain found\n",
+ prog_name, line);
+ exit(1);
+ }
needChain(chain);// Should we explicitly look for -A
do_rule(pcnt, bcnt, newargc, newargv, newargvattr);