nameif: fix use-after-free in ENABLE_FEATURE_CLEAN_UP code

Signed-off-by: Thomas De Schampheleire <thomas.de.schampheleire@gmail.com>
Signed-off-by: Denys Vlasenko <vda.linux@googlemail.com>

diff --git a/networking/nameif.c b/networking/nameif.c
index 5d7e8f9..9a8846d 100644 (file)
--- a/networking/nameif.c
+++ b/networking/nameif.c
@@ -292,12 +292,11 @@ int nameif_main(int argc UNUSED_PARAM, char **argv)
                        if (ch->mac && memcmp(ch->mac, ifr.ifr_hwaddr.sa_data, ETH_ALEN) != 0)
                                continue;
                        /* if we came here, all selectors have matched */
-                       break;
+                       goto found;
                }
                /* Nothing found for current interface */
-               if (!ch)
-                       continue;
-
+               continue;
+ found:
                if (strcmp(ifr.ifr_name, ch->ifname) != 0) {
                        strcpy(ifr.ifr_newname, ch->ifname);
                        ioctl_or_perror_and_die(ctl_sk, SIOCSIFNAME, &ifr,
@@ -313,10 +312,14 @@ int nameif_main(int argc UNUSED_PARAM, char **argv)
                        ch->next->prev = ch->prev;
                if (ENABLE_FEATURE_CLEAN_UP)
                        delete_eth_table(ch);
-       }
+       } /* while */
+
        if (ENABLE_FEATURE_CLEAN_UP) {
-               for (ch = clist; ch; ch = ch->next)
+               ethtable_t *next;
+               for (ch = clist; ch; ch = next) {
+                       next = ch->next;
                        delete_eth_table(ch);
+               }
                config_close(parser);
        };