From d9b22d809995f16b2bc988c8f72d70a5cd3e86d1 Mon Sep 17 00:00:00 2001

From: Phil Sutter <psutter@redhat.com>

Date: Fri, 15 Mar 2019 17:50:10 +0100

Subject: [PATCH] libxt_string: Avoid potential array out of bounds access

Bugzilla: https://bugzilla.redhat.com/show_bug.cgi?id=1525980

Upstream Status: iptables commit 56d7ab42f3782

commit 56d7ab42f37829ab8d42f34b77fd630ce08f5a7c

Author: Phil Sutter <phil@nwl.cc>

Date:   Mon Sep 10 23:35:16 2018 +0200

    libxt_string: Avoid potential array out of bounds access

    The pattern index variable 'sindex' is bounds checked before

    incrementing it, which means in the next loop iteration it might already

    match the bounds check condition but is used anyway.

    Fix this by incrementing the index before performing the bounds check.

    Signed-off-by: Phil Sutter <phil@nwl.cc>

    Signed-off-by: Florian Westphal <fw@strlen.de>

Signed-off-by: Phil Sutter <psutter@redhat.com>

---

 extensions/libxt_string.c | 3 +--

 1 file changed, 1 insertion(+), 2 deletions(-)

diff --git a/extensions/libxt_string.c b/extensions/libxt_string.c

index fb15980e4a73f..d298c6a7081e7 100644

--- a/extensions/libxt_string.c

+++ b/extensions/libxt_string.c

@@ -159,9 +159,8 @@ parse_hex_string(const char *s, struct xt_string_info *info)

 			info->pattern[sindex] = s[i];

 			i++;

 		}

-		if (sindex > XT_STRING_MAX_PATTERN_SIZE)

+		if (++sindex > XT_STRING_MAX_PATTERN_SIZE)

 			xtables_error(PARAMETER_PROBLEM, "STRING too long \"%s\"", s);

-		sindex++;

 	}

 	info->patlen = sindex;

 }

-- 

2.21.0