libxt_string: Avoid potential array out of bounds access

The pattern index variable 'sindex' is bounds checked before incrementing it, which means in the next loop iteration it might already match the bounds check condition but is used anyway. Fix this by incrementing the index before performing the bounds check. Signed-off-by: Phil Sutter <phil@nwl.cc> Signed-off-by: Florian Westphal <fw@strlen.de>
author: Phil Sutter <phil@nwl.cc> 2018-09-10 23:35:16 +0200
committer: Florian Westphal <fw@strlen.de> 2018-09-13 10:48:11 +0200
commit: 56d7ab42f37829ab8d42f34b77fd630ce08f5a7c (patch)
tree: 00d7802be6e6b27f94118f094bc0c3dc85f48a0c /extensions
parent: bfd41c8d99a54769678e0c66d55797082bf1edd3 (diff)
1 files changed, 1 insertions, 2 deletions
diff --git a/extensions/libxt_string.c b/extensions/libxt_string.c
index fb15980e..d298c6a7 100644
--- a/extensions/libxt_string.c
+++ b/extensions/libxt_string.c
@@ -159,9 +159,8 @@ parse_hex_string(const char *s, struct xt_string_info *info)
 			info->pattern[sindex] = s[i];
 			i++;
 		}
-		if (sindex > XT_STRING_MAX_PATTERN_SIZE)
+		if (++sindex > XT_STRING_MAX_PATTERN_SIZE)
 			xtables_error(PARAMETER_PROBLEM, "STRING too long \"%s\"", s);
-		sindex++;
 	}
 	info->patlen = sindex;
 }
author	Phil Sutter <phil@nwl.cc>	2018-09-10 23:35:16 +0200
committer	Florian Westphal <fw@strlen.de>	2018-09-13 10:48:11 +0200
commit	56d7ab42f37829ab8d42f34b77fd630ce08f5a7c (patch)
tree	00d7802be6e6b27f94118f094bc0c3dc85f48a0c /extensions
parent	bfd41c8d99a54769678e0c66d55797082bf1edd3 (diff)