evaluate: fix export length and data corruption

Pablo reported that ipv6 tests would fail on some systems:
WARNING: 'add rule --debug=netlink ip6 test-ip6 input ip6 flowlabel set 0':
'[ bitwise reg 1 = (reg=1 & 0x000000f0 ) ^ 0x00000000 ]' mismatches
'[ bitwise reg 1 = (reg=1 & 0x00000000 ) ^ 0x00000000 ]'
                                    ^ should be 'f'

Problem is that mpz_export_data expects the size of the output
buffer in bytes, but this gave bit-based size.

Then, when mpz_export_data clears the output buffer it will
also clear 8 extra bytes on stack; depending on compiler version (stack
layout) this will then clear the bitmask value that we want to export.

Fixes: 78936d50f306c ("evaluate: add support to set IPv6 non-byte header fields")
Reported-by: Pablo Neira Ayuso <pablo@netfilter.org>
Signed-off-by: Florian Westphal <fw@strlen.de>
Tested-by: Pablo Neira Ayuso <pablo@netfilter.org>

diff --git a/src/evaluate.c b/src/evaluate.c
index cebc5a9ead7a4b291c417c0792270d931f5c1224..bcbced1e3dfa6d30b028eab840575248feb6d304 100644 (file)
--- a/src/evaluate.c
+++ b/src/evaluate.c
@@ -1798,7 +1798,7 @@ static int stmt_evaluate_payload(struct eval_ctx *ctx, struct stmt *stmt)
        mpz_clear(ff);
 
        assert(sizeof(data) * BITS_PER_BYTE >= masklen);
-       mpz_export_data(data, bitmask, BYTEORDER_HOST_ENDIAN, masklen);
+       mpz_export_data(data, bitmask, BYTEORDER_HOST_ENDIAN, sizeof(data));
        mask = constant_expr_alloc(&payload->location, expr_basetype(payload),
                                   BYTEORDER_HOST_ENDIAN, masklen, data);