netlink_delinearize: fix use-after-free

We have to clone the payload expression before attaching it to the lhs
of the relational expression, this payload expression is located at the
lhs of the binary operation that is released thereafter.

Fixes: 39f15c2 ("nft: support listing expressions that use non-byte header fields")
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>

diff --git a/src/netlink_delinearize.c b/src/netlink_delinearize.c
index 4a85395f4cc2ac2d56726033528f1189ee95a584..3e1f912c709b53fed7719a93010f6e96f118414f 100644 (file)
--- a/src/netlink_delinearize.c
+++ b/src/netlink_delinearize.c
@@ -1188,8 +1188,8 @@ static void relational_binop_postprocess(struct rule_pp_ctx *ctx, struct expr *e
        } else if (binop->op == OP_AND &&
                   binop->left->ops->type == EXPR_PAYLOAD &&
                   binop->right->ops->type == EXPR_VALUE) {
-               struct expr *payload = expr->left->left;
-               struct expr *mask = expr->left->right;
+               struct expr *payload = binop->left;
+               struct expr *mask = binop->right;
 
                /*
                 * This *might* be a payload match testing header fields that
@@ -1237,7 +1237,7 @@ static void relational_binop_postprocess(struct rule_pp_ctx *ctx, struct expr *e
                        assert(expr->left->ops->type == EXPR_BINOP);
 
                        assert(binop->left == payload);
-                       expr->left = payload;
+                       expr->left = expr_get(payload);
                        expr_free(binop);
                }
        }