interval_map_decompose() sets expr->len to zero. This causes problems from expr_to_intervals() that calls range_expr_value_high() and calculates: expr->len - expr->prefix_len this operation underflows, then mpz_init_bitmask() allocates a huge bitmask. Use expr_value(i)->len given that we already use this to calculate the prefix length. Reported-by: Richard Mörbitz <richard.moerbitz@xxxxxxxxxxxxx> Signed-off-by: Pablo Neira Ayuso <pablo@xxxxxxxxxxxxx> --- src/segtree.c | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/src/segtree.c b/src/segtree.c index 32e071f6b5e8..45e5f5b22e2e 100644 --- a/src/segtree.c +++ b/src/segtree.c @@ -693,7 +693,8 @@ void interval_map_decompose(struct expr *set) prefix_len = expr_value(i)->len - mpz_scan0(range, 0); prefix = prefix_expr_alloc(&low->location, expr_value(low), prefix_len); - prefix->len = low->len; + prefix->len = expr_value(i)->len; + prefix = set_elem_expr_alloc(&low->location, prefix); if (low->ops->type == EXPR_MAPPING) prefix = mapping_expr_alloc(&low->location, prefix, -- 2.1.4 -- To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html
