From 35d5a820e57fc378a7599e5a046395b9e203e59d Mon Sep 17 00:00:00 2001
From: "Alexander V. Chernikov" <melifaro@FreeBSD.org>
Date: Thu, 14 Aug 2014 08:42:16 +0000
Subject: [PATCH] Fix crash in case of iflist request on non-initialized
 tracker.

---
 sys/netpfil/ipfw/ip_fw_iface.c | 11 ++++++++---
 1 file changed, 8 insertions(+), 3 deletions(-)

diff --git a/sys/netpfil/ipfw/ip_fw_iface.c b/sys/netpfil/ipfw/ip_fw_iface.c
index e9b61ce68ed4..2238e8e435e9 100644
--- a/sys/netpfil/ipfw/ip_fw_iface.c
+++ b/sys/netpfil/ipfw/ip_fw_iface.c
@@ -489,6 +489,7 @@ export_iface_internal(struct namedobj_instance *ii, struct named_object *no,
 int
 ipfw_list_ifaces(struct ip_fw_chain *ch, struct sockopt_data *sd)
 {
+	struct namedobj_instance *ii;
 	struct _ipfw_obj_lheader *olh;
 	struct dump_iface_args da;
 	uint32_t count, size;
@@ -500,7 +501,11 @@ ipfw_list_ifaces(struct ip_fw_chain *ch, struct sockopt_data *sd)
 		return (EINVAL);
 
 	IPFW_UH_RLOCK(ch);
-	count = ipfw_objhash_count(CHAIN_TO_II(ch));
+	ii = CHAIN_TO_II(ch);
+	if (ii != NULL)
+		count = ipfw_objhash_count(ii);
+	else
+		count = 0;
 	size = count * sizeof(ipfw_iface_info) + sizeof(ipfw_obj_lheader);
 
 	/* Fill in header regadless of buffer size */
@@ -517,10 +522,10 @@ ipfw_list_ifaces(struct ip_fw_chain *ch, struct sockopt_data *sd)
 	da.ch = ch;
 	da.sd = sd;
 
-	ipfw_objhash_foreach(CHAIN_TO_II(ch), export_iface_internal, &da);
+	if (ii != NULL)
+		ipfw_objhash_foreach(ii, export_iface_internal, &da);
 	IPFW_UH_RUNLOCK(ch);
 
 	return (0);
 }
 
-