diff options
author | Pablo Neira Ayuso <pablo@netfilter.org> | 2020-10-20 21:24:36 +0200 |
---|---|---|
committer | Pablo Neira Ayuso <pablo@netfilter.org> | 2020-10-20 21:27:01 +0200 |
commit | f1786e55b9ea0baa1357c0289b551407bf15b417 (patch) | |
tree | 7d36f3c7a9bc95831eba3e834cdeaff874bcb9c7 /src | |
parent | c85a7b0faad897b094b95153212ce351140721ea (diff) |
segtree: UAF in interval_map_decompose()
reported by tests/monitor# bash run-tests.sh
...
SUMMARY: AddressSanitizer: heap-use-after-free /home/pablo/devel/scm/git-netfilter/nftables/src/expression.c:1385 in expr_ops
Due to incorrect structure layout when calling interval_expr_copy().
Fixes: c1f0476fd590 ("segtree: copy expr data to closing element")
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
Diffstat (limited to 'src')
-rw-r--r-- | src/segtree.c | 8 |
1 files changed, 5 insertions, 3 deletions
diff --git a/src/segtree.c b/src/segtree.c index ec281359..ba455a6a 100644 --- a/src/segtree.c +++ b/src/segtree.c @@ -1084,11 +1084,13 @@ void interval_map_decompose(struct expr *set) i = range_expr_alloc(&low->location, expr_clone(expr_value(low)), i); i = set_elem_expr_alloc(&low->location, i); - if (low->etype == EXPR_MAPPING) + if (low->etype == EXPR_MAPPING) { i = mapping_expr_alloc(&i->location, i, expr_clone(low->right)); - - interval_expr_copy(i, low); + interval_expr_copy(i->left, low->left); + } else { + interval_expr_copy(i, low); + } expr_free(low); } |