From 95629758a5ec36313d839f8545fef0dc220408d8 Mon Sep 17 00:00:00 2001
From: Pablo Neira Ayuso <pablo@netfilter.org>
Date: Mon, 1 Oct 2018 14:51:24 +0200
Subject: segtree: bogus range via get set element on existing elements

 table ip x {
        set y {
                type inet_service
                flags interval
                elements = { 10, 20-30, 40, 50-60 }
        }
 }

 # nft get element x y { 20-40 }
 table ip x {
        set y {
                type inet_service
                flags interval
                elements = { 20-40 }
        }
 }

20 and 40 exist in the tree, but they are part of different ranges.
This patch adds a new get_set_decompose() function to validate that the
left and the right side of the range.

Reported-by: Phil Sutter <phil@nwl.cc>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
---
 src/netlink.c | 5 +++--
 1 file changed, 3 insertions(+), 2 deletions(-)

(limited to 'src/netlink.c')

diff --git a/src/netlink.c b/src/netlink.c
index f795d984..7c3082bb 100644
--- a/src/netlink.c
+++ b/src/netlink.c
@@ -1361,8 +1361,9 @@ int netlink_get_setelem(struct netlink_ctx *ctx, const struct handle *h,
 	nftnl_set_free(nls_out);
 	ctx->set = NULL;
 
-	if (set->flags & NFT_SET_INTERVAL)
-		get_set_decompose(table, set);
+	if (set->flags & NFT_SET_INTERVAL &&
+	    get_set_decompose(table, set) < 0)
+		return -1;
 
 	return 0;
 }
-- 
cgit v1.2.3