ipfiler bug #550 filter rule list corrupted with inserted rules

Obtained from:	ipfilter CVS repo (r1.128); NetBSD CVS repo (r1.15)

1 files changed, 12 insertions, 0 deletions

diff --git a/sys/contrib/ipfilter/netinet/fil.c b/sys/contrib/ipfilter/netinet/fil.c
index 2adfe26..f600092 100644
--- a/sys/contrib/ipfilter/netinet/fil.c
+++ b/sys/contrib/ipfilter/netinet/fil.c
@@ -4496,7 +4496,15 @@ frrequest(softc, unit, req, data, set, makecopy)
 
 		fp = f;
 		f = NULL;
+		fp->fr_next = NULL;
 		fp->fr_dnext = NULL;
+		fp->fr_pnext = NULL;
+		fp->fr_pdnext = NULL;
+		fp->fr_grp = NULL;
+		fp->fr_grphead = NULL;
+		fp->fr_icmpgrp = NULL;
+		fp->fr_isc = (void *)-1;
+		fp->fr_ptr = NULL;
 		fp->fr_ref = 0;
 		fp->fr_flags |= FR_COPIED;
 	} else {
@@ -5000,7 +5008,9 @@ frrequest(softc, unit, req, data, set, makecopy)
 				if (f->fr_collect > fp->fr_collect)
 					break;
 				ftail = &f->fr_next;
+				fprev = ftail;
 			}
+			ftail = fprev;
 			f = NULL;
 			ptr = NULL;
 		} else if (req == (ioctlcmd_t)SIOCINAFR ||
@@ -5091,6 +5101,8 @@ frrequest(softc, unit, req, data, set, makecopy)
 			fp->fr_ref = 1;
 		fp->fr_pnext = ftail;
 		fp->fr_next = *ftail;
+		if (fp->fr_next != NULL)
+			fp->fr_next->fr_pnext = &fp->fr_next;
 		*ftail = fp;
 		if (addrem == 0)
 			ipf_fixskip(ftail, fp, 1);