evaluate: set: Fix nested set merge size adjustment

When merging a nested set into the parent one, we are actually replacing
one item with the items of the nested set. Therefore we have to remove
the replaced item from size.

The respective bug isn't as easy to trigger, since the size field seems
to be relevant only when set elements are ranges which are checked for
overlaps. Here's an example of how to trigger it:

| add rule ip saddr { { 1.1.1.0/24, 3.3.3.0/24 }, 2.2.2.0/24 }

Signed-off-by: Phil Sutter <phil@nwl.cc>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>

diff --git a/src/evaluate.c b/src/evaluate.c
index 86ff8ebd17629ffc1b94f757e3a5e9ef43893602..b5db724cbd37bcf4642674e3843cbe4fbb233fdc 100644 (file)
--- a/src/evaluate.c
+++ b/src/evaluate.c
@@ -1149,7 +1149,7 @@ static int expr_evaluate_set(struct eval_ctx *ctx, struct expr **expr)
                        /* Merge recursive set definitions */
                        list_splice_tail_init(&i->expressions, &i->list);
                        list_del(&i->list);
-                       set->size      += i->size;
+                       set->size      += i->size - 1;
                        set->set_flags |= i->set_flags;
                        expr_free(i);
                } else if (!expr_is_singleton(i))