segtree: UAF in interval_map_decompose()

reported by tests/monitor# bash run-tests.sh
...
SUMMARY: AddressSanitizer: heap-use-after-free /home/pablo/devel/scm/git-netfilter/nftables/src/expression.c:1385 in expr_ops

Due to incorrect structure layout when calling interval_expr_copy().

Fixes: c1f0476fd590 ("segtree: copy expr data to closing element")
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>

diff --git a/src/segtree.c b/src/segtree.c
index ec281359c6913526cafaa57e31fca886987e61ad..ba455a6a8137676ae3880ce690f278f0fdb51389 100644 (file)
--- a/src/segtree.c
+++ b/src/segtree.c
@@ -1084,11 +1084,13 @@ void interval_map_decompose(struct expr *set)
                i = range_expr_alloc(&low->location,
                                     expr_clone(expr_value(low)), i);
                i = set_elem_expr_alloc(&low->location, i);
-               if (low->etype == EXPR_MAPPING)
+               if (low->etype == EXPR_MAPPING) {
                        i = mapping_expr_alloc(&i->location, i,
                                               expr_clone(low->right));
-
-               interval_expr_copy(i, low);
+                       interval_expr_copy(i->left, low->left);
+               } else {
+                       interval_expr_copy(i, low);
+               }
                expr_free(low);
        }