From f1786e55b9ea0baa1357c0289b551407bf15b417 Mon Sep 17 00:00:00 2001
From: Pablo Neira Ayuso <pablo@netfilter.org>
Date: Tue, 20 Oct 2020 21:24:36 +0200
Subject: segtree: UAF in interval_map_decompose()

reported by tests/monitor# bash run-tests.sh
...
SUMMARY: AddressSanitizer: heap-use-after-free /home/pablo/devel/scm/git-netfilter/nftables/src/expression.c:1385 in expr_ops

Due to incorrect structure layout when calling interval_expr_copy().

Fixes: c1f0476fd590 ("segtree: copy expr data to closing element")
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
---
 src/segtree.c | 8 +++++---
 1 file changed, 5 insertions(+), 3 deletions(-)

diff --git a/src/segtree.c b/src/segtree.c
index ec281359..ba455a6a 100644
--- a/src/segtree.c
+++ b/src/segtree.c
@@ -1084,11 +1084,13 @@ void interval_map_decompose(struct expr *set)
 		i = range_expr_alloc(&low->location,
 				     expr_clone(expr_value(low)), i);
 		i = set_elem_expr_alloc(&low->location, i);
-		if (low->etype == EXPR_MAPPING)
+		if (low->etype == EXPR_MAPPING) {
 			i = mapping_expr_alloc(&i->location, i,
 					       expr_clone(low->right));
-
-		interval_expr_copy(i, low);
+			interval_expr_copy(i->left, low->left);
+		} else {
+			interval_expr_copy(i, low);
+		}
 		expr_free(low);
 	}
 
-- 
cgit v1.2.3