From 56d7ab42f37829ab8d42f34b77fd630ce08f5a7c Mon Sep 17 00:00:00 2001
From: Phil Sutter <phil@nwl.cc>
Date: Mon, 10 Sep 2018 23:35:16 +0200
Subject: libxt_string: Avoid potential array out of bounds access

The pattern index variable 'sindex' is bounds checked before
incrementing it, which means in the next loop iteration it might already
match the bounds check condition but is used anyway.

Fix this by incrementing the index before performing the bounds check.

Signed-off-by: Phil Sutter <phil@nwl.cc>
Signed-off-by: Florian Westphal <fw@strlen.de>
---
 extensions/libxt_string.c | 3 +--
 1 file changed, 1 insertion(+), 2 deletions(-)

(limited to 'extensions')

diff --git a/extensions/libxt_string.c b/extensions/libxt_string.c
index fb15980e..d298c6a7 100644
--- a/extensions/libxt_string.c
+++ b/extensions/libxt_string.c
@@ -159,9 +159,8 @@ parse_hex_string(const char *s, struct xt_string_info *info)
 			info->pattern[sindex] = s[i];
 			i++;
 		}
-		if (sindex > XT_STRING_MAX_PATTERN_SIZE)
+		if (++sindex > XT_STRING_MAX_PATTERN_SIZE)
 			xtables_error(PARAMETER_PROBLEM, "STRING too long \"%s\"", s);
-		sindex++;
 	}
 	info->patlen = sindex;
 }
-- 
cgit v1.2.3