diff options
author | Phil Sutter <phil@nwl.cc> | 2018-09-10 23:35:16 +0200 |
---|---|---|
committer | Florian Westphal <fw@strlen.de> | 2018-09-13 10:48:11 +0200 |
commit | 56d7ab42f37829ab8d42f34b77fd630ce08f5a7c (patch) | |
tree | 00d7802be6e6b27f94118f094bc0c3dc85f48a0c | |
parent | bfd41c8d99a54769678e0c66d55797082bf1edd3 (diff) |
libxt_string: Avoid potential array out of bounds access
The pattern index variable 'sindex' is bounds checked before
incrementing it, which means in the next loop iteration it might already
match the bounds check condition but is used anyway.
Fix this by incrementing the index before performing the bounds check.
Signed-off-by: Phil Sutter <phil@nwl.cc>
Signed-off-by: Florian Westphal <fw@strlen.de>
-rw-r--r-- | extensions/libxt_string.c | 3 |
1 files changed, 1 insertions, 2 deletions
diff --git a/extensions/libxt_string.c b/extensions/libxt_string.c index fb15980e..d298c6a7 100644 --- a/extensions/libxt_string.c +++ b/extensions/libxt_string.c @@ -159,9 +159,8 @@ parse_hex_string(const char *s, struct xt_string_info *info) info->pattern[sindex] = s[i]; i++; } - if (sindex > XT_STRING_MAX_PATTERN_SIZE) + if (++sindex > XT_STRING_MAX_PATTERN_SIZE) xtables_error(PARAMETER_PROBLEM, "STRING too long \"%s\"", s); - sindex++; } info->patlen = sindex; } |