xtables: Fix for nft_rule_flush() returning garbage

Due to variable 'ret' not being initialized in all situations, return code of the function depends on garbage in stack. Fix this by initializing 'ret' to zero upon declaration. While being at it, make nftnl_chain_list_get() failure as well as nftnl_chain_list_iter_create() failure an error condition since both functions should succeed even if the current ruleset does not contain any chains at all. Signed-off-by: Phil Sutter <phil@nwl.cc> Signed-off-by: Florian Westphal <fw@strlen.de>
author: Phil Sutter <phil@nwl.cc> 2018-08-02 17:05:09 +0200
committer: Florian Westphal <fw@strlen.de> 2018-08-04 14:08:56 +0200
commit: 89d344381c81bd1d5f29b498844f20280200c786 (patch)
tree: abf42ce284d762871490e5eb4398251e3a8afdf7 /iptables/nft.c
parent: c2594475dd270e3a81033fed2e5251dbd5ce319b (diff)
1 files changed, 5 insertions, 3 deletions
diff --git a/iptables/nft.c b/iptables/nft.c
index d5c4c766..f2d6ea13 100644
--- a/iptables/nft.c
+++ b/iptables/nft.c
@@ -1474,7 +1474,7 @@ int nft_chain_user_flush(struct nft_handle *h, struct nftnl_chain_list *list,
 
 int nft_rule_flush(struct nft_handle *h, const char *chain, const char *table)
 {
-	int ret;
+	int ret = 0;
 	struct nftnl_chain_list *list;
 	struct nftnl_chain_list_iter *iter;
 	struct nftnl_chain *c;
@@ -1486,13 +1486,15 @@ int nft_rule_flush(struct nft_handle *h, const char *chain, const char *table)
 
 	list = nftnl_chain_list_get(h);
 	if (list == NULL) {
-		ret = 0;
+		ret = 1;
 		goto err;
 	}
 
 	iter = nftnl_chain_list_iter_create(list);
-	if (iter == NULL)
+	if (iter == NULL) {
+		ret = 1;
 		goto err;
+	}
 
 	c = nftnl_chain_list_iter_next(iter);
 	while (c != NULL) {
author	Phil Sutter <phil@nwl.cc>	2018-08-02 17:05:09 +0200
committer	Florian Westphal <fw@strlen.de>	2018-08-04 14:08:56 +0200
commit	89d344381c81bd1d5f29b498844f20280200c786 (patch)
tree	abf42ce284d762871490e5eb4398251e3a8afdf7 /iptables/nft.c
parent	c2594475dd270e3a81033fed2e5251dbd5ce319b (diff)