evaluate: do not fetch next expression on runaway number of concatenation components

If this is the last expression, then the runaway flag is set on and
evaluation bails in the next iteration, do not fetch next list element
which refers to the list head.

I found this by code inspection, I could not trigger any crash with this
one.

Fixes: ae1d54d1343f ("evaluate: do not crash on runaway number of concatenation components")
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>

diff --git a/src/evaluate.c b/src/evaluate.c
index 78732c6ee2d37d38692a9bc8d7badc76dec9c7f5..eb55f6c0a429375a64c42a1769466796e8cdab48 100644 (file)
--- a/src/evaluate.c
+++ b/src/evaluate.c
@@ -1653,8 +1653,8 @@ static int expr_evaluate_concat(struct eval_ctx *ctx, struct expr **expr)
                if (key && expressions) {
                        if (list_is_last(&key->list, expressions))
                                runaway = true;
-
-                       key = list_next_entry(key, list);
+                       else
+                               key = list_next_entry(key, list);
                }
 
                ctx->inner_desc = NULL;