segtree: wrong prefix expression length on interval_map_decompose()

interval_map_decompose() sets expr->len to zero. This causes problems
from expr_to_intervals() that calls range_expr_value_high() and
calculates:

	 expr->len - expr->prefix_len

this operation underflows, then mpz_init_bitmask() allocates a huge
bitmask.

Use expr_value(i)->len given that we already use this to calculate the
prefix length.

Reported-by: Richard Mörbitz <richard.moerbitz@tu-dresden.de>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>

diff --git a/src/segtree.c b/src/segtree.c
index 32e071f6b5e8c5ca90913dbe1206a7402310470f..45e5f5b22e2ea9edc64ec826a8cf39cdbd7c900b 100644 (file)
--- a/src/segtree.c
+++ b/src/segtree.c
@@ -693,7 +693,8 @@ void interval_map_decompose(struct expr *set)
                        prefix_len = expr_value(i)->len - mpz_scan0(range, 0);
                        prefix = prefix_expr_alloc(&low->location, expr_value(low),
                                                   prefix_len);
-                       prefix->len = low->len;
+                       prefix->len = expr_value(i)->len;
+
                        prefix = set_elem_expr_alloc(&low->location, prefix);
                        if (low->ops->type == EXPR_MAPPING)
                                prefix = mapping_expr_alloc(&low->location, prefix,