From f6d9610c86ce6f1b8618611e3c993970760bc03d Mon Sep 17 00:00:00 2001
From: Florian Westphal <fw@strlen.de>
Date: Mon, 10 Mar 2025 08:29:37 +0100
Subject: evaluate: don't crash if range has same start and end interval

In this case, evaluation step replaces the range expression with a
single value and we'd crash as range->left/right contain garbage
values.

Simply replace the input expression with the evaluation result.

Also add a test case modeled on the afl reproducer.

Fixes: fe6cc0ad29cd ("evaluate: consolidate evaluation of symbol range expression")
Signed-off-by: Florian Westphal <fw@strlen.de>
Reviewed-by: Pablo Neira Ayuso <pablo@netfilter.org>
---
 src/evaluate.c | 5 +++++
 1 file changed, 5 insertions(+)

(limited to 'src')

diff --git a/src/evaluate.c b/src/evaluate.c
index e27d08ce..722c11a2 100644
--- a/src/evaluate.c
+++ b/src/evaluate.c
@@ -2351,6 +2351,10 @@ static int expr_evaluate_symbol_range(struct eval_ctx *ctx, struct expr **exprp)
 		expr_free(range);
 		return -1;
 	}
+
+	if (range->etype != EXPR_RANGE)
+		goto out_done;
+
 	left = range->left;
 	right = range->right;
 
@@ -2371,6 +2375,7 @@ static int expr_evaluate_symbol_range(struct eval_ctx *ctx, struct expr **exprp)
 		return 0;
 	}
 
+out_done:
 	expr_free(expr);
 	*exprp = range;
 
-- 
cgit v1.2.3