From: Pablo Neira Ayuso <pablo@netfilter.org>
Date: Wed, 13 Aug 2025 13:19:23 +0000 (+0200)
Subject: segtree: incorrect type when aggregating concatenated set ranges
X-Git-Tag: v1.1.5~14
X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=c44995e31ba60c4823bb81fecd29020452b9e702;p=thirdparty%2Fnftables.git

segtree: incorrect type when aggregating concatenated set ranges

Uncovered by the compound_expr_remove() replacement by type safe function
coming after this patch.

Add expression to the concatenation which is reachable via expr_value().

This bug is subtle, I could not spot any reproducible buggy behaviour
when using the wrong type when running the existing tests.

Fixes: 8ac2f3b2fca3 ("src: Add support for concatenated set ranges")
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
---

diff --git a/src/segtree.c b/src/segtree.c
index 70b4416c..fd77e03f 100644
--- a/src/segtree.c
+++ b/src/segtree.c
@@ -448,7 +448,7 @@ next:
 			mpz_clear(range);
 
 			r2 = list_entry(r2_next, typeof(*r2), list);
-			compound_expr_remove(start, r1);
+			compound_expr_remove(expr_value(start), r1);
 
 			if (free_r1)
 				expr_free(r1);