From: Jim Meyering <meyering@xxxxxxxxxx>
* src/nwfilter/nwfilter_ebiptables_driver.c (ebiptablesApplyNewRules):
Don't dereference a NULL or uninitialized pointer when given
an empty list of rules. Add an sa_assert(inst) in each loop to
tell clang that the uses of "inst[i]" are valid.
---
src/nwfilter/nwfilter_ebiptables_driver.c | 8 +++++---
1 files changed, 5 insertions(+), 3 deletions(-)
diff --git a/src/nwfilter/nwfilter_ebiptables_driver.c b/src/nwfilter/nwfilter_ebiptables_driver.c
index b481b4c..f54099f 100644
--- a/src/nwfilter/nwfilter_ebiptables_driver.c
+++ b/src/nwfilter/nwfilter_ebiptables_driver.c
@@ -2834,11 +2834,11 @@ ebiptablesApplyNewRules(virConnectPtr conn ATTRIBUTE_UNUSED,
bool haveIptables = false;
bool haveIp6tables = false;
- if (inst)
- qsort(inst, nruleInstances, sizeof(inst[0]),
- ebiptablesRuleOrderSort);
+ if (nruleInstances > 1 && inst)
+ qsort(inst, nruleInstances, sizeof(inst[0]), ebiptablesRuleOrderSort);
for (i = 0; i < nruleInstances; i++) {
+ sa_assert (inst);
if (inst[i]->ruleType == RT_EBTABLES) {
if (inst[i]->chainprefix == CHAINPREFIX_HOST_IN_TEMP)
chains_in |= (1 << inst[i]->neededProtocolChain);
@@ -2881,6 +2881,7 @@ ebiptablesApplyNewRules(virConnectPtr conn ATTRIBUTE_UNUSED,
goto tear_down_tmpebchains;
for (i = 0; i < nruleInstances; i++)
+ sa_assert (inst);
switch (inst[i]->ruleType) {
case RT_EBTABLES:
ebiptablesInstCommand(&buf,
@@ -2918,6 +2919,7 @@ ebiptablesApplyNewRules(virConnectPtr conn ATTRIBUTE_UNUSED,
goto tear_down_tmpiptchains;
for (i = 0; i < nruleInstances; i++) {
+ sa_assert (inst);
if (inst[i]->ruleType == RT_IPTABLES)
iptablesInstCommand(&buf,
inst[i]->commandTemplate,
--
1.7.1.rc1.248.gcefbb
--
libvir-list mailing list
libvir-list@xxxxxxxxxx
https://www.redhat.com/mailman/listinfo/libvir-list