|
 |
43df5c |
From 5790cacab5a3fd7bde26056fa0f8b4650bd21bb7 Mon Sep 17 00:00:00 2001
|
|
|
43df5c |
From: Phil Sutter <psutter@redhat.com>
|
|
|
43df5c |
Date: Fri, 15 Mar 2019 17:50:10 +0100
|
|
|
43df5c |
Subject: [PATCH] libxt_string: Fix array out of bounds check
|
|
|
43df5c |
|
|
|
43df5c |
Bugzilla: https://bugzilla.redhat.com/show_bug.cgi?id=1525980
|
|
|
43df5c |
Upstream Status: iptables commit 6fc7762f6f785
|
|
|
43df5c |
|
|
|
43df5c |
commit 6fc7762f6f78526e3cb0c189ac2778a6be4c00b5
|
|
|
43df5c |
Author: Phil Sutter <phil@nwl.cc>
|
|
|
43df5c |
Date: Mon Sep 17 13:38:33 2018 +0200
|
|
|
43df5c |
|
|
|
43df5c |
libxt_string: Fix array out of bounds check
|
|
|
43df5c |
|
|
|
43df5c |
Commit 56d7ab42f3782 ("libxt_string: Avoid potential array out of bounds
|
|
|
43df5c |
access") tried to fix parse_hex_string() for overlong strings but the
|
|
|
43df5c |
change still allowed for 'sindex' to become XT_STRING_MAX_PATTERN_SIZE
|
|
|
43df5c |
which leads to access of first byte after info->pattern. This is not
|
|
|
43df5c |
really a problem because it merely overwrites info->patlen before
|
|
|
43df5c |
calling xtables_error() later, but covscan still detects it so it's
|
|
|
43df5c |
still worth fixing.
|
|
|
43df5c |
|
|
|
43df5c |
The crucial bit here is that 'sindex' has to be incremented at end of
|
|
|
43df5c |
the last iteration since its value is used for info->patlen. Hence just
|
|
|
43df5c |
move the overflow check to the beginning of the loop.
|
|
|
43df5c |
|
|
|
43df5c |
Fixes: 56d7ab42f3782 ("libxt_string: Avoid potential array out of bounds access")
|
|
|
43df5c |
Signed-off-by: Phil Sutter <phil@nwl.cc>
|
|
|
43df5c |
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
43df5c |
|
|
|
43df5c |
Signed-off-by: Phil Sutter <psutter@redhat.com>
|
|
|
43df5c |
---
|
|
|
43df5c |
extensions/libxt_string.c | 6 ++++--
|
|
|
43df5c |
1 file changed, 4 insertions(+), 2 deletions(-)
|
|
|
43df5c |
|
|
|
43df5c |
diff --git a/extensions/libxt_string.c b/extensions/libxt_string.c
|
|
|
43df5c |
index d298c6a7081e7..7c6366cbbf1b3 100644
|
|
|
43df5c |
--- a/extensions/libxt_string.c
|
|
|
43df5c |
+++ b/extensions/libxt_string.c
|
|
|
43df5c |
@@ -103,6 +103,9 @@ parse_hex_string(const char *s, struct xt_string_info *info)
|
|
|
43df5c |
}
|
|
|
43df5c |
|
|
|
43df5c |
while (i < slen) {
|
|
|
43df5c |
+ if (sindex >= XT_STRING_MAX_PATTERN_SIZE)
|
|
|
43df5c |
+ xtables_error(PARAMETER_PROBLEM,
|
|
|
43df5c |
+ "STRING too long \"%s\"", s);
|
|
|
43df5c |
if (s[i] == '\\' && !hex_f) {
|
|
|
43df5c |
literal_f = 1;
|
|
|
43df5c |
} else if (s[i] == '\\') {
|
|
|
43df5c |
@@ -159,8 +162,7 @@ parse_hex_string(const char *s, struct xt_string_info *info)
|
|
|
43df5c |
info->pattern[sindex] = s[i];
|
|
|
43df5c |
i++;
|
|
|
43df5c |
}
|
|
|
43df5c |
- if (++sindex > XT_STRING_MAX_PATTERN_SIZE)
|
|
|
43df5c |
- xtables_error(PARAMETER_PROBLEM, "STRING too long \"%s\"", s);
|
|
|
43df5c |
+ sindex++;
|
|
|
43df5c |
}
|
|
|
43df5c |
info->patlen = sindex;
|
|
|
43df5c |
}
|
|
|
43df5c |
--
|
|
|
43df5c |
2.21.0
|
|
|
43df5c |
|