mirrors/haproxy
1
0
Fork 0
mirror of https://git.haproxy.org/git/haproxy.git/ synced 2026-05-04 12:41:00 +02:00
Code Issues Projects Releases Wiki Activity

BUG/MINOR: net_helper: fix out-of-bounds read in sample_conv_tcp_options_list

Browse Source 
sample_conv_tcp_options_list() uses 'ofs + 1 <= len' to check bounds
before reading the option length field at area[ofs + 1]. When ofs + 1
equals len, this reads one byte past the valid buffer (valid indices are
0 to len-1).

This is the same bug pattern as tcp_fullhdr_find_opt() fixed previously,
and the impact is also almost inexistent.
This commit is contained in:
Willy Tarreau 2026-04-29 09:31:56 +02:00
parent 9ed6a121a9
commit afa32223b1
1 changed files with 1 additions and 1 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
src/net_helper.c
View File

@ -606,7 +606,7 @@ static int sample_conv_tcp_options_list(const struct arg *arg_p, struct sample *
/* kind1 = NOP and is a single byte, others have a length field */
if (smp->data.u.str.area[ofs] == 1)
ofs++;
else if (ofs + 1 <= len)
else if (ofs + 1 < len)
ofs += smp->data.u.str.area[ofs + 1];
else
break;