iptables-xml: Fix segfault on jump without a target

As reported in Bugzilla #1152, a segfault occurs in iptables-xml if a
jump or goto argument lacks a target argument. The following input will
segfault:
*filter
:INPUT ACCEPT [0:0]
-A INPUT -p tcp --dport 2200 -j

Problem occurs in do_rule_part, where the existsChain() function is called
with argv[arg + 1]. If the jump/goto argument is the last argument, then
arg + 1 is out of the array bounds. The fix ensures that arg + 1 is within
the array bounds before the call to existsChain() is made.

Signed-off-by: Oliver Ford <ojford@gmail.com>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>

diff --git a/iptables/iptables-xml.c b/iptables/iptables-xml.c
index 56b8372b7adcb3f51d7bf0ba1805aeea2df6a559..49674ec1e247975602cc5666bf2b9b9ef6cafdf2 100644 (file)
--- a/iptables/iptables-xml.c
+++ b/iptables/iptables-xml.c
@@ -426,12 +426,9 @@ do_rule_part(char *leveltag1, char *leveltag2, int part, int argc,
                        else
                                printf("%s%s", spacer, argv[arg]);
                        spacer = " ";
-               } else if (!argvattr[arg] && isTarget(argv[arg])
-                          && existsChain(argv[arg + 1])
-                          && (2 + arg >= argc)) {
-                       if (!((1 + arg) < argc))
-                               // no args to -j, -m or -g, ignore & finish loop
-                               break;
+               } else if (!argvattr[arg] && isTarget(argv[arg]) &&
+                          (arg + 1 < argc) &&
+                          existsChain(argv[arg + 1])) {
                        CLOSE_LEVEL(2);
                        if (level1)
                                printf("%s", leveli1);