libxt_string: Avoid potential array out of bounds access

The pattern index variable 'sindex' is bounds checked before
incrementing it, which means in the next loop iteration it might already
match the bounds check condition but is used anyway.

Fix this by incrementing the index before performing the bounds check.

Signed-off-by: Phil Sutter <phil@nwl.cc>
Signed-off-by: Florian Westphal <fw@strlen.de>

diff --git a/extensions/libxt_string.c b/extensions/libxt_string.c
index fb15980e4a73fc490c904a97e4c5804f847f6088..d298c6a7081e7ade72233edaee7d762ecb101a54 100644 (file)
--- a/extensions/libxt_string.c
+++ b/extensions/libxt_string.c
@@ -159,9 +159,8 @@ parse_hex_string(const char *s, struct xt_string_info *info)
                        info->pattern[sindex] = s[i];
                        i++;
                }
-               if (sindex > XT_STRING_MAX_PATTERN_SIZE)
+               if (++sindex > XT_STRING_MAX_PATTERN_SIZE)
                        xtables_error(PARAMETER_PROBLEM, "STRING too long \"%s\"", s);
-               sindex++;
        }
        info->patlen = sindex;
 }