mirrors/haproxy
1
0
Fork 0
mirror of https://git.haproxy.org/git/haproxy.git/ synced 2026-05-01 19:20:59 +02:00
Code Issues Projects Releases Wiki Activity

BUG/MINOR: net_helper: fix out-of-bounds read in tcp_fullhdr_find_opt

Browse Source 
tcp_fullhdr_find_opt() reads smp->data.u.str.area[next + 1] without
checking that next + 1 < len. When the last byte of a TCP header's
options section (at index len - 1) contains an option type that is not
0 (EOL) and not 1 (NOP), the code reads one byte past the valid buffer,
which is an out-of-bounds read, which in practice is totally harmless
but should be fixed.

This can be backported where tcp_fullhdr_find_opt() was backported.
This commit is contained in:
Willy Tarreau 2026-04-29 09:31:27 +02:00
parent 465dca8e81
commit 9ed6a121a9
1 changed files with 6 additions and 1 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

7
src/net_helper.c
View File

@ -446,7 +446,12 @@ static size_t tcp_fullhdr_find_opt(const struct sample *smp, uint8_t opt)
if (smp->data.u.str.area[next] == 0) // kind0=end of options
break;
/* kind1 = NOP and is a single byte, others have a length field */
next += (smp->data.u.str.area[next] == 1) ? 1 : smp->data.u.str.area[next + 1];
if (smp->data.u.str.area[next] == 1)
next++;
else if (next + 1 < len)
next += smp->data.u.str.area[next + 1];
else
break;
if (smp->data.u.str.area[curr] == opt && next <= len)
return curr;
}