From d9b22d809995f16b2bc988c8f72d70a5cd3e86d1 Mon Sep 17 00:00:00 2001
From: Phil Sutter <psutter@redhat.com>
Date: Fri, 15 Mar 2019 17:50:10 +0100
Subject: [PATCH] libxt_string: Avoid potential array out of bounds access
Bugzilla: https://bugzilla.redhat.com/show_bug.cgi?id=1525980
Upstream Status: iptables commit 56d7ab42f3782
commit 56d7ab42f37829ab8d42f34b77fd630ce08f5a7c
Author: Phil Sutter <phil@nwl.cc>
Date: Mon Sep 10 23:35:16 2018 +0200
libxt_string: Avoid potential array out of bounds access
The pattern index variable 'sindex' is bounds checked before
incrementing it, which means in the next loop iteration it might already
match the bounds check condition but is used anyway.
Fix this by incrementing the index before performing the bounds check.
Signed-off-by: Phil Sutter <phil@nwl.cc>
Signed-off-by: Florian Westphal <fw@strlen.de>
Signed-off-by: Phil Sutter <psutter@redhat.com>
---
extensions/libxt_string.c | 3 +--
1 file changed, 1 insertion(+), 2 deletions(-)
diff --git a/extensions/libxt_string.c b/extensions/libxt_string.c
index fb15980e4a73f..d298c6a7081e7 100644
--- a/extensions/libxt_string.c
+++ b/extensions/libxt_string.c
@@ -159,9 +159,8 @@ parse_hex_string(const char *s, struct xt_string_info *info)
info->pattern[sindex] = s[i];
i++;
}
- if (sindex > XT_STRING_MAX_PATTERN_SIZE)
+ if (++sindex > XT_STRING_MAX_PATTERN_SIZE)
xtables_error(PARAMETER_PROBLEM, "STRING too long \"%s\"", s);
- sindex++;
}
info->patlen = sindex;
}
--
2.21.0