evaluate: do not fetch next expression on runaway number of concatenation components

commit 955bb6d31c90453e43043346c917646ddc4e5c4e upstream.

If this is the last expression, then the runaway flag is set on and
evaluation bails in the next iteration, do not fetch next list element
which refers to the list head.

I found this by code inspection, I could not trigger any crash with this
one.

Fixes: ae1d54d1343f ("evaluate: do not crash on runaway number of concatenation components")
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>

diff --git a/src/evaluate.c b/src/evaluate.c
index 60d8cf9d76b2a2a5840208af6e65491b3e073e01..f8bc149d5b814d894f4e8a3c043dfcc375637fb2 100644 (file)
--- a/src/evaluate.c
+++ b/src/evaluate.c
@@ -1502,8 +1502,8 @@ static int expr_evaluate_concat(struct eval_ctx *ctx, struct expr **expr)
                if (key && expressions) {
                        if (list_is_last(&key->list, expressions))
                                runaway = true;
-
-                       key = list_next_entry(key, list);
+                       else
+                               key = list_next_entry(key, list);
                }
 
                if (size > NFT_MAX_EXPR_LEN_BITS)