summaryrefslogtreecommitdiffstats
path: root/src
diff options
context:
space:
mode:
authorPablo Neira Ayuso <pablo@netfilter.org>2016-12-13 01:17:52 +0100
committerPablo Neira Ayuso <pablo@netfilter.org>2016-12-13 01:28:02 +0100
commit043a272e887f17290efb4b5eda1f7b01b6bb2340 (patch)
tree1c8bf34aff277b055c59287cba77992fbc7ca4f8 /src
parentd03de764e498954a08251dee9e820347ad177970 (diff)
segtree: wrong prefix expression length on interval_map_decompose()
interval_map_decompose() sets expr->len to zero. This causes problems from expr_to_intervals() that calls range_expr_value_high() and calculates: expr->len - expr->prefix_len this operation underflows, then mpz_init_bitmask() allocates a huge bitmask. Use expr_value(i)->len given that we already use this to calculate the prefix length. Reported-by: Richard Mörbitz <richard.moerbitz@tu-dresden.de> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
Diffstat (limited to 'src')
-rw-r--r--src/segtree.c3
1 files changed, 2 insertions, 1 deletions
diff --git a/src/segtree.c b/src/segtree.c
index 32e071f6..45e5f5b2 100644
--- a/src/segtree.c
+++ b/src/segtree.c
@@ -693,7 +693,8 @@ void interval_map_decompose(struct expr *set)
prefix_len = expr_value(i)->len - mpz_scan0(range, 0);
prefix = prefix_expr_alloc(&low->location, expr_value(low),
prefix_len);
- prefix->len = low->len;
+ prefix->len = expr_value(i)->len;
+
prefix = set_elem_expr_alloc(&low->location, prefix);
if (low->ops->type == EXPR_MAPPING)
prefix = mapping_expr_alloc(&low->location, prefix,