From: Pablo Neira Ayuso <pablo@netfilter.org>
Date: Tue, 13 Dec 2016 00:17:52 +0000 (+0100)
Subject: segtree: wrong prefix expression length on interval_map_decompose()
X-Git-Tag: v0.7~9
X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=043a272e887f17290efb4b5eda1f7b01b6bb2340;p=thirdparty%2Fnftables.git

segtree: wrong prefix expression length on interval_map_decompose()

interval_map_decompose() sets expr->len to zero. This causes problems
from expr_to_intervals() that calls range_expr_value_high() and
calculates:

	 expr->len - expr->prefix_len

this operation underflows, then mpz_init_bitmask() allocates a huge
bitmask.

Use expr_value(i)->len given that we already use this to calculate the
prefix length.

Reported-by: Richard Mörbitz <richard.moerbitz@tu-dresden.de>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
---

diff --git a/src/segtree.c b/src/segtree.c
index 32e071f6..45e5f5b2 100644
--- a/src/segtree.c
+++ b/src/segtree.c
@@ -693,7 +693,8 @@ void interval_map_decompose(struct expr *set)
 			prefix_len = expr_value(i)->len - mpz_scan0(range, 0);
 			prefix = prefix_expr_alloc(&low->location, expr_value(low),
 						   prefix_len);
-			prefix->len = low->len;
+			prefix->len = expr_value(i)->len;
+
 			prefix = set_elem_expr_alloc(&low->location, prefix);
 			if (low->ops->type == EXPR_MAPPING)
 				prefix = mapping_expr_alloc(&low->location, prefix,