From afa32223b1bc61e265f1017222c9b5614b38af15 Mon Sep 17 00:00:00 2001 From: Willy Tarreau Date: Wed, 29 Apr 2026 09:31:56 +0200 Subject: [PATCH] BUG/MINOR: net_helper: fix out-of-bounds read in sample_conv_tcp_options_list sample_conv_tcp_options_list() uses 'ofs + 1 <= len' to check bounds before reading the option length field at area[ofs + 1]. When ofs + 1 equals len, this reads one byte past the valid buffer (valid indices are 0 to len-1). This is the same bug pattern as tcp_fullhdr_find_opt() fixed previously, and the impact is also almost inexistent. --- src/net_helper.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/src/net_helper.c b/src/net_helper.c index 4d842979c..6b46bfe5e 100644 --- a/src/net_helper.c +++ b/src/net_helper.c @@ -606,7 +606,7 @@ static int sample_conv_tcp_options_list(const struct arg *arg_p, struct sample * /* kind1 = NOP and is a single byte, others have a length field */ if (smp->data.u.str.area[ofs] == 1) ofs++; - else if (ofs + 1 <= len) + else if (ofs + 1 < len) ofs += smp->data.u.str.area[ofs + 1]; else break;