|
|
43df5c |
From d9b22d809995f16b2bc988c8f72d70a5cd3e86d1 Mon Sep 17 00:00:00 2001
|
|
|
43df5c |
From: Phil Sutter <psutter@redhat.com>
|
|
|
43df5c |
Date: Fri, 15 Mar 2019 17:50:10 +0100
|
|
|
43df5c |
Subject: [PATCH] libxt_string: Avoid potential array out of bounds access
|
|
|
43df5c |
|
|
|
43df5c |
Bugzilla: https://bugzilla.redhat.com/show_bug.cgi?id=1525980
|
|
|
43df5c |
Upstream Status: iptables commit 56d7ab42f3782
|
|
|
43df5c |
|
|
|
43df5c |
commit 56d7ab42f37829ab8d42f34b77fd630ce08f5a7c
|
|
|
43df5c |
Author: Phil Sutter <phil@nwl.cc>
|
|
|
43df5c |
Date: Mon Sep 10 23:35:16 2018 +0200
|
|
|
43df5c |
|
|
|
43df5c |
libxt_string: Avoid potential array out of bounds access
|
|
|
43df5c |
|
|
|
43df5c |
The pattern index variable 'sindex' is bounds checked before
|
|
|
43df5c |
incrementing it, which means in the next loop iteration it might already
|
|
|
43df5c |
match the bounds check condition but is used anyway.
|
|
|
43df5c |
|
|
|
43df5c |
Fix this by incrementing the index before performing the bounds check.
|
|
|
43df5c |
|
|
|
43df5c |
Signed-off-by: Phil Sutter <phil@nwl.cc>
|
|
|
43df5c |
Signed-off-by: Florian Westphal <fw@strlen.de>
|
|
|
43df5c |
|
|
|
43df5c |
Signed-off-by: Phil Sutter <psutter@redhat.com>
|
|
|
43df5c |
---
|
|
|
43df5c |
extensions/libxt_string.c | 3 +--
|
|
|
43df5c |
1 file changed, 1 insertion(+), 2 deletions(-)
|
|
|
43df5c |
|
|
|
43df5c |
diff --git a/extensions/libxt_string.c b/extensions/libxt_string.c
|
|
|
43df5c |
index fb15980e4a73f..d298c6a7081e7 100644
|
|
|
43df5c |
--- a/extensions/libxt_string.c
|
|
|
43df5c |
+++ b/extensions/libxt_string.c
|
|
|
43df5c |
@@ -159,9 +159,8 @@ parse_hex_string(const char *s, struct xt_string_info *info)
|
|
|
43df5c |
info->pattern[sindex] = s[i];
|
|
|
43df5c |
i++;
|
|
|
43df5c |
}
|
|
|
43df5c |
- if (sindex > XT_STRING_MAX_PATTERN_SIZE)
|
|
|
43df5c |
+ if (++sindex > XT_STRING_MAX_PATTERN_SIZE)
|
|
|
43df5c |
xtables_error(PARAMETER_PROBLEM, "STRING too long \"%s\"", s);
|
|
|
43df5c |
- sindex++;
|
|
|
43df5c |
}
|
|
|
43df5c |
info->patlen = sindex;
|
|
|
43df5c |
}
|
|
|
43df5c |
--
|
|
|
43df5c |
2.21.0
|
|
|
43df5c |
|