upstream/haproxy
1
0
Fork 0
mirror of https://github.com/haproxy/haproxy.git synced 2026-03-30 22:25:32 -04:00
Code Issues Projects Releases Packages Wiki Activity Actions 16

BUG/MINOR: net_helper: fix length controls on ip.fp tcp options parsing

Browse source 
If opt len is truncated by tcplen we may read 1 Byte after the
tcp header.

There is also missing controls parsing MSS and WS we may compute
invalid values on fingerprint reading after the tcp header in
case of truncated options.

This patch should be backported on versions including ip.fp
This commit is contained in:
Emeric Brun 2026-03-25 17:39:21 +01:00 committed by Willy Tarreau
parent e375f1061a
commit a336c467a0
1 changed files with 3 additions and 3 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

6
src/net_helper.c
View file

@ -776,7 +776,7 @@ static int sample_conv_ip_fp(const struct arg *arg_p, struct sample *smp, void *
/* kind1 = NOP and is a single byte, others have a length field */
if (smp->data.u.str.area[ofs] == 1)
next = ofs + 1;
else if (ofs + 1 <= tcplen)
else if (ofs + 1 < tcplen)
next = ofs + smp->data.u.str.area[ofs + 1];
else
break;
@ -790,10 +790,10 @@ static int sample_conv_ip_fp(const struct arg *arg_p, struct sample *smp, void *
if (mode & 2) // mode & 2: append tcp.options_list
trash->area[trash->data++] = opt;
if (opt == 2 /* MSS */) {
if (opt == 2 && (ofs + 3 < tcplen) /* MSS value starts at ofs + 2 and is 2 Bytes long */) {
tcpmss = read_n16(smp->data.u.str.area + ofs + 2);
}
else if (opt == 3 /* WS */) {
else if (opt == 3 && (ofs + 2 < tcplen) /* WS value 1 Byte is at ofs + 2) {
tcpws = (uchar)smp->data.u.str.area[ofs + 2];
/* output from 1 to 15, thus 0=not found */
tcpws = tcpws > 14 ? 15 : tcpws + 1;