From bc0ffc0e971c61dc7f09aab2a35966f99cc606ba Mon Sep 17 00:00:00 2001
From: Thomas De Schampheleire <thomas.de.schampheleire@gmail.com>
Date: Thu, 28 Feb 2013 10:31:54 +0100
Subject: [PATCH] nameif: fix use-after-free in ENABLE_FEATURE_CLEAN_UP code

Signed-off-by: Thomas De Schampheleire <thomas.de.schampheleire@gmail.com>
Signed-off-by: Denys Vlasenko <vda.linux@googlemail.com>
---
 networking/nameif.c | 15 +++++++++------
 1 file changed, 9 insertions(+), 6 deletions(-)

diff --git a/networking/nameif.c b/networking/nameif.c
index 5d7e8f9a4..9a8846dc0 100644
--- a/networking/nameif.c
+++ b/networking/nameif.c
@@ -292,12 +292,11 @@ int nameif_main(int argc UNUSED_PARAM, char **argv)
 			if (ch->mac && memcmp(ch->mac, ifr.ifr_hwaddr.sa_data, ETH_ALEN) != 0)
 				continue;
 			/* if we came here, all selectors have matched */
-			break;
+			goto found;
 		}
 		/* Nothing found for current interface */
-		if (!ch)
-			continue;
-
+		continue;
+ found:
 		if (strcmp(ifr.ifr_name, ch->ifname) != 0) {
 			strcpy(ifr.ifr_newname, ch->ifname);
 			ioctl_or_perror_and_die(ctl_sk, SIOCSIFNAME, &ifr,
@@ -313,10 +312,14 @@ int nameif_main(int argc UNUSED_PARAM, char **argv)
 			ch->next->prev = ch->prev;
 		if (ENABLE_FEATURE_CLEAN_UP)
 			delete_eth_table(ch);
-	}
+	} /* while */
+
 	if (ENABLE_FEATURE_CLEAN_UP) {
-		for (ch = clist; ch; ch = ch->next)
+		ethtable_t *next;
+		for (ch = clist; ch; ch = next) {
+			next = ch->next;
 			delete_eth_table(ch);
+		}
 		config_close(parser);
 	};