Due to variable 'ret' not being initialized in all situations, return
code of the function depends on garbage in stack. Fix this by
initializing 'ret' to zero upon declaration.
While being at it, make nftnl_chain_list_get() failure as well as
nftnl_chain_list_iter_create() failure an error condition since both
functions should succeed even if the current ruleset does not contain
any chains at all.
Signed-off-by: Phil Sutter <phil@xxxxxx>
---
iptables/nft.c | 8 +++++---
1 file changed, 5 insertions(+), 3 deletions(-)
diff --git a/iptables/nft.c b/iptables/nft.c
index d5c4c7661c3ab..f2d6ea137e48d 100644
--- a/iptables/nft.c
+++ b/iptables/nft.c
@@ -1474,7 +1474,7 @@ int nft_chain_user_flush(struct nft_handle *h, struct nftnl_chain_list *list,
int nft_rule_flush(struct nft_handle *h, const char *chain, const char *table)
{
- int ret;
+ int ret = 0;
struct nftnl_chain_list *list;
struct nftnl_chain_list_iter *iter;
struct nftnl_chain *c;
@@ -1486,13 +1486,15 @@ int nft_rule_flush(struct nft_handle *h, const char *chain, const char *table)
list = nftnl_chain_list_get(h);
if (list == NULL) {
- ret = 0;
+ ret = 1;
goto err;
}
iter = nftnl_chain_list_iter_create(list);
- if (iter == NULL)
+ if (iter == NULL) {
+ ret = 1;
goto err;
+ }
c = nftnl_chain_list_iter_next(iter);
while (c != NULL) {
--
2.18.0
--
To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
