segtree: UAF in interval_map_decompose()

reported by tests/monitor# bash run-tests.sh ... SUMMARY: AddressSanitizer: heap-use-after-free /home/pablo/devel/scm/git-netfilter/nftables/src/expression.c:1385 in expr_ops Due to incorrect structure layout when calling interval_expr_copy(). Fixes: c1f0476fd590 ("segtree: copy expr data to closing element") Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
author: Pablo Neira Ayuso <pablo@netfilter.org> 2020-10-20 21:24:36 +0200
committer: Pablo Neira Ayuso <pablo@netfilter.org> 2020-10-20 21:27:01 +0200
commit: f1786e55b9ea0baa1357c0289b551407bf15b417 (patch)
tree: 7d36f3c7a9bc95831eba3e834cdeaff874bcb9c7
parent: c85a7b0faad897b094b95153212ce351140721ea (diff)
1 files changed, 5 insertions, 3 deletions
diff --git a/src/segtree.c b/src/segtree.c
index ec281359..ba455a6a 100644
--- a/src/segtree.c
+++ b/src/segtree.c
@@ -1084,11 +1084,13 @@ void interval_map_decompose(struct expr *set)
 		i = range_expr_alloc(&low->location,
 				     expr_clone(expr_value(low)), i);
 		i = set_elem_expr_alloc(&low->location, i);
-		if (low->etype == EXPR_MAPPING)
+		if (low->etype == EXPR_MAPPING) {
 			i = mapping_expr_alloc(&i->location, i,
 					       expr_clone(low->right));
-
-		interval_expr_copy(i, low);
+			interval_expr_copy(i->left, low->left);
+		} else {
+			interval_expr_copy(i, low);
+		}
 		expr_free(low);
 	}
author	Pablo Neira Ayuso <pablo@netfilter.org>	2020-10-20 21:24:36 +0200
committer	Pablo Neira Ayuso <pablo@netfilter.org>	2020-10-20 21:27:01 +0200
commit	f1786e55b9ea0baa1357c0289b551407bf15b417 (patch)
tree	7d36f3c7a9bc95831eba3e834cdeaff874bcb9c7
parent	c85a7b0faad897b094b95153212ce351140721ea (diff)