interval_map_decompose() sets expr->len to zero. This causes problems
from expr_to_intervals() that calls range_expr_value_high() and
calculates:
expr->len - expr->prefix_len
this operation underflows, then mpz_init_bitmask() allocates a huge
bitmask.
Use expr_value(i)->len given that we already use this to calculate the
prefix length.
Reported-by: Richard Mörbitz <[email protected]>
Signed-off-by: Pablo Neira Ayuso <[email protected]>
---
src/segtree.c | 3 ++-
1 file changed, 2 insertions(+), 1 deletion(-)
diff --git a/src/segtree.c b/src/segtree.c
index 32e071f6b5e8..45e5f5b22e2e 100644
--- a/src/segtree.c
+++ b/src/segtree.c
@@ -693,7 +693,8 @@ void interval_map_decompose(struct expr *set)
prefix_len = expr_value(i)->len - mpz_scan0(range, 0);
prefix = prefix_expr_alloc(&low->location,
expr_value(low),
prefix_len);
- prefix->len = low->len;
+ prefix->len = expr_value(i)->len;
+
prefix = set_elem_expr_alloc(&low->location, prefix);
if (low->ops->type == EXPR_MAPPING)
prefix = mapping_expr_alloc(&low->location,
prefix,
--
2.1.4
--
To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in
the body of a message to [email protected]
More majordomo info at http://vger.kernel.org/majordomo-info.html
