evaluate: Avoid undefined behaviour in concat_subtype_id()

For the left side of a concat expression, dtype is NULL and therefore off is 0. In that case the code expects to get a datatype of TYPE_INVALID, but this is fragile as the output of concat_subtype_id() is undefined for n > 32 / TYPE_BITS. To fix this, call datatype_lookup() directly passing the expected TYPE_INVALID as argument if off is 0. Signed-off-by: Phil Sutter <phil@nwl.cc> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
author: Phil Sutter <phil@nwl.cc> 2016-08-30 19:39:52 +0200
committer: Pablo Neira Ayuso <pablo@netfilter.org> 2016-09-05 19:09:02 +0200
commit: 83e52f7a7f5eaa893e146d23ff2e9292179f9485 (patch)
tree: 5fe364970ea9f268171cb8c980a9f461fc5b85b7 /src
parent: 7241af302bbe56908fa87b17799048bfe884e35f (diff)
1 files changed, 4 insertions, 1 deletions
diff --git a/src/evaluate.c b/src/evaluate.c
index 194a0349..c1ee6b19 100644
--- a/src/evaluate.c
+++ b/src/evaluate.c
@@ -962,7 +962,10 @@ static int expr_evaluate_concat(struct eval_ctx *ctx, struct expr **expr)
 						 "expressions",
 						 i->dtype->name);
 
-		tmp = concat_subtype_lookup(type, --off);
+		if (dtype == NULL)
+			tmp = datatype_lookup(TYPE_INVALID);
+		else
+			tmp = concat_subtype_lookup(type, --off);
 		expr_set_context(&ctx->ectx, tmp, tmp->size);
 
 		if (list_member_evaluate(ctx, &i) < 0)
author	Phil Sutter <phil@nwl.cc>	2016-08-30 19:39:52 +0200
committer	Pablo Neira Ayuso <pablo@netfilter.org>	2016-09-05 19:09:02 +0200
commit	83e52f7a7f5eaa893e146d23ff2e9292179f9485 (patch)
tree	5fe364970ea9f268171cb8c980a9f461fc5b85b7 /src
parent	7241af302bbe56908fa87b17799048bfe884e35f (diff)