segtree: incorrect type when aggregating concatenated set ranges

commit 87f23fe0357da8f951faebbe2fa0b306048c2394 upstream.

Uncovered by the compound_expr_remove() replacement by type safe function
coming after this patch.

Add expression to the concatenation which is reachable via expr_value().

This bug is subtle, I could not spot any reproducible buggy behaviour
when using the wrong type when running the existing tests.

Fixes: 8ac2f3b2fca3 ("src: Add support for concatenated set ranges")
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>

diff --git a/src/segtree.c b/src/segtree.c
index 8ea434b8e6e40c8cc05274f53769ed1617734fc3..33517bea4f0d412c6adcf226f8931533640925ea 100644 (file)
--- a/src/segtree.c
+++ b/src/segtree.c
@@ -425,7 +425,7 @@ next:
                        mpz_clear(range);
 
                        r2 = list_entry(r2_next, typeof(*r2), list);
-                       compound_expr_remove(start, r1);
+                       compound_expr_remove(expr_value(start), r1);
 
                        if (free_r1)
                                expr_free(r1);