Package: iptables Version: 1.4.2-5 Severity: normal Tags: patch Hi,
The pattern/algorithm length for the string match can be stored as a non null terminated string. Thus if I try to store a pattern: - strlen(pattern) = 127 => everything is fine - strlen(pattern) = 128 => invalid argument - strlen(pattern) = 129 => string too long I have enclosed a patch, but that could be handled in a different way. Regards, -- Franck Joncourt http://debian.org - http://smhteam.info/wiki/
From: Franck Joncourt <[email protected]> Subject: [PATCH] fixes/libxt_string Make the pattern length to be strictly less than the buffer size allocated to store it. The pattern is stored in the buffer as a null terminated string. Same change for the algorithm. Signed-off-by: Franck Joncourt <[email protected]> --- extensions/libxt_string.c | 4 ++-- 1 files changed, 2 insertions(+), 2 deletions(-) diff --git a/extensions/libxt_string.c b/extensions/libxt_string.c index 5b3ebf6..88d5799 100644 --- a/extensions/libxt_string.c +++ b/extensions/libxt_string.c @@ -63,7 +63,7 @@ static void string_init(struct xt_entry_match *m) static void parse_string(const char *s, struct xt_string_info *info) { - if (strlen(s) <= XT_STRING_MAX_PATTERN_SIZE) { + if (strlen(s) < XT_STRING_MAX_PATTERN_SIZE) { strncpy(info->pattern, s, XT_STRING_MAX_PATTERN_SIZE); info->patlen = strlen(s); return; @@ -74,7 +74,7 @@ parse_string(const char *s, struct xt_string_info *info) static void parse_algo(const char *s, struct xt_string_info *info) { - if (strlen(s) <= XT_STRING_MAX_ALGO_NAME_SIZE) { + if (strlen(s) < XT_STRING_MAX_ALGO_NAME_SIZE) { strncpy(info->algo, s, XT_STRING_MAX_ALGO_NAME_SIZE); return; } -- tg: (c9a4aed..) fixes/libxt_string (depends on: upstream)
signature.asc
Description: OpenPGP digital signature
