From dbf471f99a3ac7d8446da2b9ddf5cfcee77fddde Mon Sep 17 00:00:00 2001 From: Emeric Brun Date: Wed, 22 Apr 2026 14:45:09 +0200 Subject: [PATCH] BUG/MAJOR: net_helper: ip.fp infinite loop on malformed tcp options A malformed tcp option with an option length set to 0 can cause an infinite loop on ip.fp converter. The patch also forces the computation to use an unsigned char to avoid a shift back during the parsing. This fix should be backported on all versions including the ip.fp converter. --- src/net_helper.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/src/net_helper.c b/src/net_helper.c index 5865a668f..b4efd159d 100644 --- a/src/net_helper.c +++ b/src/net_helper.c @@ -776,8 +776,8 @@ static int sample_conv_ip_fp(const struct arg *arg_p, struct sample *smp, void * /* kind1 = NOP and is a single byte, others have a length field */ if (smp->data.u.str.area[ofs] == 1) next = ofs + 1; - else if (ofs + 1 < tcplen) - next = ofs + smp->data.u.str.area[ofs + 1]; + else if ((ofs + 1 < tcplen) && smp->data.u.str.area[ofs + 1]) /* optlen 0 will cause an infinite loop */ + next = ofs + (uchar)smp->data.u.str.area[ofs + 1]; else break;