From 9ed6a121a9ce0999fdfa1dc7d8a67eacc53d062b Mon Sep 17 00:00:00 2001
From: Willy Tarreau <w@1wt.eu>
Date: Wed, 29 Apr 2026 09:31:27 +0200
Subject: [PATCH] BUG/MINOR: net_helper: fix out-of-bounds read in
 tcp_fullhdr_find_opt

tcp_fullhdr_find_opt() reads smp->data.u.str.area[next + 1] without
checking that next + 1 < len. When the last byte of a TCP header's
options section (at index len - 1) contains an option type that is not
0 (EOL) and not 1 (NOP), the code reads one byte past the valid buffer,
which is an out-of-bounds read, which in practice is totally harmless
but should be fixed.

This can be backported where tcp_fullhdr_find_opt() was backported.
---
 src/net_helper.c | 7 ++++++-
 1 file changed, 6 insertions(+), 1 deletion(-)

diff --git a/src/net_helper.c b/src/net_helper.c
index b4efd159d..4d842979c 100644
--- a/src/net_helper.c
+++ b/src/net_helper.c
@@ -446,7 +446,12 @@ static size_t tcp_fullhdr_find_opt(const struct sample *smp, uint8_t opt)
 		if (smp->data.u.str.area[next] == 0) // kind0=end of options
 			break;
 		/* kind1 = NOP and is a single byte, others have a length field */
-		next += (smp->data.u.str.area[next] == 1) ? 1 : smp->data.u.str.area[next + 1];
+		if (smp->data.u.str.area[next] == 1)
+			next++;
+		else if (next + 1 < len)
+			next += smp->data.u.str.area[next + 1];
+		else
+			break;
 		if (smp->data.u.str.area[curr] == opt && next <= len)
 			return curr;
 	}