libiptc: Fix for segfault when renaming a chain

This is an odd bug: If the number of chains is right and one renames the last one in the list, libiptc dereferences a NULL pointer. Add fix and test case for it. Fixes: 64ff47cde38e4 ("libiptc: fix chain rename bug in libiptc") Reported-by: Julien Castets <castets.j@gmail.com> Signed-off-by: Phil Sutter <phil@nwl.cc>
author: Phil Sutter <phil@nwl.cc> 2022-10-07 18:29:07 +0200
committer: Phil Sutter <phil@nwl.cc> 2022-10-07 23:03:42 +0200
commit: 97bf4e68fc0794adba3243fd96f40f4568e7216f (patch)
tree: a418bb94933cd2e17119892f1d17e4f8eaf25857 /libiptc
parent: 28c7bf020e9b1dcf94bd3162ce9c354c06bb6f97 (diff)
1 files changed, 9 insertions, 0 deletions
diff --git a/libiptc/libiptc.c b/libiptc/libiptc.c
index ceeb017b..97823f93 100644
--- a/libiptc/libiptc.c
+++ b/libiptc/libiptc.c
@@ -606,6 +606,15 @@ static int iptcc_chain_index_delete_chain(struct chain_head *c, struct xtc_handl
 
 	if (index_ptr == &c->list) { /* Chain used as index ptr */
 
+		/* If this is the last chain in the list, its index bucket just
+		 * became empty. Adjust the size to avoid a NULL-pointer deref
+		 * later.
+		 */
+		if (next == &h->chains) {
+			h->chain_index_sz--;
+			return 0;
+		}
+
 		/* See if its possible to avoid a rebuild, by shifting
 		 * to next pointer.  Its possible if the next pointer
 		 * is located in the same index bucket.
author	Phil Sutter <phil@nwl.cc>	2022-10-07 18:29:07 +0200
committer	Phil Sutter <phil@nwl.cc>	2022-10-07 23:03:42 +0200
commit	97bf4e68fc0794adba3243fd96f40f4568e7216f (patch)
tree	a418bb94933cd2e17119892f1d17e4f8eaf25857 /libiptc
parent	28c7bf020e9b1dcf94bd3162ce9c354c06bb6f97 (diff)