From: Michal Privoznik <mprivozn@redhat.com>

The iptablesPrivateChainCreate() function is given an array of
const strings. This constitutes a promise to the caller that the
data is not modified. But inside the data is modified anyway (to
cut out some parts of the data). Well, with a help from
g_strdup() the promise can be kept.

Signed-off-by: Michal Privoznik <mprivozn@redhat.com>
---
 src/network/network_iptables.c | 14 ++++++++------
 1 file changed, 8 insertions(+), 6 deletions(-)

diff --git a/src/network/network_iptables.c b/src/network/network_iptables.c
index 19dcfc7c8b..d21ce59b70 100644
--- a/src/network/network_iptables.c
+++ b/src/network/network_iptables.c
@@ -84,7 +84,7 @@ iptablesPrivateChainCreate(virFirewall *fw,
 {
     iptablesGlobalChainData *data = opaque;
     g_autoptr(GHashTable) chains = virHashNew(NULL);
-    g_autoptr(GHashTable) links = virHashNew(NULL);
+    g_autoptr(GHashTable) links = virHashNew(g_free);
     const char *const *line;
     size_t i;
 
@@ -96,16 +96,18 @@ iptablesPrivateChainCreate(virFirewall *fw,
             if (virHashUpdateEntry(chains, tmp, (void *)0x1) < 0)
                 return -1;
         } else if ((tmp = STRSKIP(*line, "-A "))) { /* eg "-A INPUT -j LIBVIRT_INP" */
-            char *sep = strchr(tmp, ' ');
+            const char *sep = strchr(tmp, ' ');
 
             if (sep) {
-                char *target;
+                const char *target;
 
-                *sep = '\0';
                 if ((target = STRSKIP(sep + 1, "-j "))) {
-                    if (virHashUpdateEntry(links, target,
-                                           (char *)tmp) < 0)
+                    char *chain = g_strndup(tmp, sep - tmp);
+
+                    if (virHashUpdateEntry(links, target, chain) < 0) {
+                        g_free(chain);
                         return -1;
+                    }
                 }
             }
         }
-- 
2.51.2