From: Pablo Neira Ayuso <pablo@netfilter.org>
Date: Tue, 20 Oct 2020 19:24:36 +0000 (+0200)
Subject: segtree: UAF in interval_map_decompose()
X-Git-Tag: v0.9.7~4
X-Git-Url: http://git.ipfire.org/gitweb/gitweb.cgi?a=commitdiff_plain;h=f1786e55b9ea0baa1357c0289b551407bf15b417;p=thirdparty%2Fnftables.git

segtree: UAF in interval_map_decompose()

reported by tests/monitor# bash run-tests.sh
...
SUMMARY: AddressSanitizer: heap-use-after-free /home/pablo/devel/scm/git-netfilter/nftables/src/expression.c:1385 in expr_ops

Due to incorrect structure layout when calling interval_expr_copy().

Fixes: c1f0476fd590 ("segtree: copy expr data to closing element")
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
---

diff --git a/src/segtree.c b/src/segtree.c
index ec281359..ba455a6a 100644
--- a/src/segtree.c
+++ b/src/segtree.c
@@ -1084,11 +1084,13 @@ void interval_map_decompose(struct expr *set)
 		i = range_expr_alloc(&low->location,
 				     expr_clone(expr_value(low)), i);
 		i = set_elem_expr_alloc(&low->location, i);
-		if (low->etype == EXPR_MAPPING)
+		if (low->etype == EXPR_MAPPING) {
 			i = mapping_expr_alloc(&i->location, i,
 					       expr_clone(low->right));
-
-		interval_expr_copy(i, low);
+			interval_expr_copy(i->left, low->left);
+		} else {
+			interval_expr_copy(i, low);
+		}
 		expr_free(low);
 	}