diff options
author | Pablo Neira Ayuso <pablo@netfilter.org> | 2016-12-13 01:17:52 +0100 |
---|---|---|
committer | Pablo Neira Ayuso <pablo@netfilter.org> | 2016-12-13 01:28:02 +0100 |
commit | 043a272e887f17290efb4b5eda1f7b01b6bb2340 (patch) | |
tree | 1c8bf34aff277b055c59287cba77992fbc7ca4f8 /src | |
parent | d03de764e498954a08251dee9e820347ad177970 (diff) |
segtree: wrong prefix expression length on interval_map_decompose()
interval_map_decompose() sets expr->len to zero. This causes problems
from expr_to_intervals() that calls range_expr_value_high() and
calculates:
expr->len - expr->prefix_len
this operation underflows, then mpz_init_bitmask() allocates a huge
bitmask.
Use expr_value(i)->len given that we already use this to calculate the
prefix length.
Reported-by: Richard Mörbitz <richard.moerbitz@tu-dresden.de>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
Diffstat (limited to 'src')
-rw-r--r-- | src/segtree.c | 3 |
1 files changed, 2 insertions, 1 deletions
diff --git a/src/segtree.c b/src/segtree.c index 32e071f6..45e5f5b2 100644 --- a/src/segtree.c +++ b/src/segtree.c @@ -693,7 +693,8 @@ void interval_map_decompose(struct expr *set) prefix_len = expr_value(i)->len - mpz_scan0(range, 0); prefix = prefix_expr_alloc(&low->location, expr_value(low), prefix_len); - prefix->len = low->len; + prefix->len = expr_value(i)->len; + prefix = set_elem_expr_alloc(&low->location, prefix); if (low->ops->type == EXPR_MAPPING) prefix = mapping_expr_alloc(&low->location, prefix, |