From 80ca27be4274ffa2bebd39871747b4a73c393980 Mon Sep 17 00:00:00 2001
From: Willy Tarreau <w@1wt.eu>
Date: Wed, 29 Apr 2026 09:36:03 +0200
Subject: [PATCH] BUG/MINOR: net_helper: fix incomplete decoding in
 sample_conv_eth_vlan

sample_conv_eth_vlan() reads the VLAN TCI at area[idx + 2] without
ensuring there are enough bytes. The original condition 'idx + 4 < data'
breaks when there IS room for more data, leading to an incomplete read
when trying to decode a VLAN ID.

This can be backported where this converter was backported.
---
 src/net_helper.c | 3 +--
 1 file changed, 1 insertion(+), 2 deletions(-)

diff --git a/src/net_helper.c b/src/net_helper.c
index 6b46bfe5e..e71abd9b0 100644
--- a/src/net_helper.c
+++ b/src/net_helper.c
@@ -110,9 +110,8 @@ static int sample_conv_eth_vlan(const struct arg *arg_p, struct sample *smp, voi
 			smp->flags &= ~SMP_F_CONST;
 			return !!vlan;
 		}
-		if (idx + 4 < smp->data.u.str.data)
+		if (idx + 4 > smp->data.u.str.data)
 			break;
-
 		vlan = read_n16(smp->data.u.str.area + idx + 2) & 0xfff;
 	}
 	/* incomplete header */