mirrors/haproxy
1
0
Fork 0
mirror of https://git.haproxy.org/git/haproxy.git/ synced 2026-05-02 03:30:59 +02:00
Code Issues Projects Releases Wiki Activity

BUG/MAJOR: net_helper: ip.fp infinite loop on malformed tcp options

Browse Source 
A malformed tcp option with an option length set to 0 can cause
an infinite loop on ip.fp converter.

The patch also forces the computation to use an unsigned char to
avoid a shift back during the parsing.

This fix should be backported on all versions including the ip.fp
converter.
This commit is contained in:
Emeric Brun 2026-04-22 14:45:09 +02:00 committed by Willy Tarreau
parent 7e1cc0fcdb
commit dbf471f99a
1 changed files with 2 additions and 2 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

4
src/net_helper.c
View File

@ -776,8 +776,8 @@ static int sample_conv_ip_fp(const struct arg *arg_p, struct sample *smp, void *
/* kind1 = NOP and is a single byte, others have a length field */
if (smp->data.u.str.area[ofs] == 1)
next = ofs + 1;
else if (ofs + 1 < tcplen)
next = ofs + smp->data.u.str.area[ofs + 1];
else if ((ofs + 1 < tcplen) && smp->data.u.str.area[ofs + 1]) /* optlen 0 will cause an infinite loop */
next = ofs + (uchar)smp->data.u.str.area[ofs + 1];
else
break;