evaluate: Avoid undefined behaviour in concat_subtype_id()

For the left side of a concat expression, dtype is NULL and therefore
off is 0. In that case the code expects to get a datatype of
TYPE_INVALID, but this is fragile as the output of concat_subtype_id()
is undefined for n > 32 / TYPE_BITS.

To fix this, call datatype_lookup() directly passing the expected
TYPE_INVALID as argument if off is 0.

Signed-off-by: Phil Sutter <phil@nwl.cc>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>

diff --git a/src/evaluate.c b/src/evaluate.c
index 194a03495b5fd0762ed82aa6c6901346e4678349..c1ee6b19295512bbb8eabdcf7d211bf984fd1977 100644 (file)
--- a/src/evaluate.c
+++ b/src/evaluate.c
@@ -962,7 +962,10 @@ static int expr_evaluate_concat(struct eval_ctx *ctx, struct expr **expr)
                                                 "expressions",
                                                 i->dtype->name);
 
-               tmp = concat_subtype_lookup(type, --off);
+               if (dtype == NULL)
+                       tmp = datatype_lookup(TYPE_INVALID);
+               else
+                       tmp = concat_subtype_lookup(type, --off);
                expr_set_context(&ctx->ectx, tmp, tmp->size);
 
                if (list_member_evaluate(ctx, &i) < 0)