From: Pablo Neira Ayuso <pablo@netfilter.org>
Date: Wed, 13 Aug 2025 13:19:23 +0000 (+0200)
Subject: segtree: incorrect type when aggregating concatenated set ranges
X-Git-Tag: v1.0.6.1~24
X-Git-Url: http://git.ipfire.org/gitweb.cgi?a=commitdiff_plain;h=0a08ec914368028506d0bc8a10338a5a805d02cf;p=thirdparty%2Fnftables.git

segtree: incorrect type when aggregating concatenated set ranges

commit 87f23fe0357da8f951faebbe2fa0b306048c2394 upstream.

Uncovered by the compound_expr_remove() replacement by type safe function
coming after this patch.

Add expression to the concatenation which is reachable via expr_value().

This bug is subtle, I could not spot any reproducible buggy behaviour
when using the wrong type when running the existing tests.

Fixes: 8ac2f3b2fca3 ("src: Add support for concatenated set ranges")
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
---

diff --git a/src/segtree.c b/src/segtree.c
index 8ea434b8..33517bea 100644
--- a/src/segtree.c
+++ b/src/segtree.c
@@ -425,7 +425,7 @@ next:
 			mpz_clear(range);
 
 			r2 = list_entry(r2_next, typeof(*r2), list);
-			compound_expr_remove(start, r1);
+			compound_expr_remove(expr_value(start), r1);
 
 			if (free_r1)
 				expr_free(r1);