Blame SOURCES/libxt_string-Avoid-potential-array-out-of-bounds-acc.patch

43df5c
From d9b22d809995f16b2bc988c8f72d70a5cd3e86d1 Mon Sep 17 00:00:00 2001
43df5c
From: Phil Sutter <psutter@redhat.com>
43df5c
Date: Fri, 15 Mar 2019 17:50:10 +0100
43df5c
Subject: [PATCH] libxt_string: Avoid potential array out of bounds access
43df5c
43df5c
Bugzilla: https://bugzilla.redhat.com/show_bug.cgi?id=1525980
43df5c
Upstream Status: iptables commit 56d7ab42f3782
43df5c
43df5c
commit 56d7ab42f37829ab8d42f34b77fd630ce08f5a7c
43df5c
Author: Phil Sutter <phil@nwl.cc>
43df5c
Date:   Mon Sep 10 23:35:16 2018 +0200
43df5c
43df5c
    libxt_string: Avoid potential array out of bounds access
43df5c
43df5c
    The pattern index variable 'sindex' is bounds checked before
43df5c
    incrementing it, which means in the next loop iteration it might already
43df5c
    match the bounds check condition but is used anyway.
43df5c
43df5c
    Fix this by incrementing the index before performing the bounds check.
43df5c
43df5c
    Signed-off-by: Phil Sutter <phil@nwl.cc>
43df5c
    Signed-off-by: Florian Westphal <fw@strlen.de>
43df5c
43df5c
Signed-off-by: Phil Sutter <psutter@redhat.com>
43df5c
---
43df5c
 extensions/libxt_string.c | 3 +--
43df5c
 1 file changed, 1 insertion(+), 2 deletions(-)
43df5c
43df5c
diff --git a/extensions/libxt_string.c b/extensions/libxt_string.c
43df5c
index fb15980e4a73f..d298c6a7081e7 100644
43df5c
--- a/extensions/libxt_string.c
43df5c
+++ b/extensions/libxt_string.c
43df5c
@@ -159,9 +159,8 @@ parse_hex_string(const char *s, struct xt_string_info *info)
43df5c
 			info->pattern[sindex] = s[i];
43df5c
 			i++;
43df5c
 		}
43df5c
-		if (sindex > XT_STRING_MAX_PATTERN_SIZE)
43df5c
+		if (++sindex > XT_STRING_MAX_PATTERN_SIZE)
43df5c
 			xtables_error(PARAMETER_PROBLEM, "STRING too long \"%s\"", s);
43df5c
-		sindex++;
43df5c
 	}
43df5c
 	info->patlen = sindex;
43df5c
 }
43df5c
-- 
43df5c
2.21.0
43df5c