From a336c467a04ab8fc7441d01b4004fb28ce1921f0 Mon Sep 17 00:00:00 2001 From: Emeric Brun Date: Wed, 25 Mar 2026 17:39:21 +0100 Subject: [PATCH] BUG/MINOR: net_helper: fix length controls on ip.fp tcp options parsing If opt len is truncated by tcplen we may read 1 Byte after the tcp header. There is also missing controls parsing MSS and WS we may compute invalid values on fingerprint reading after the tcp header in case of truncated options. This patch should be backported on versions including ip.fp --- src/net_helper.c | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/src/net_helper.c b/src/net_helper.c index 949b0335f..8f19f8bb5 100644 --- a/src/net_helper.c +++ b/src/net_helper.c @@ -776,7 +776,7 @@ static int sample_conv_ip_fp(const struct arg *arg_p, struct sample *smp, void * /* kind1 = NOP and is a single byte, others have a length field */ if (smp->data.u.str.area[ofs] == 1) next = ofs + 1; - else if (ofs + 1 <= tcplen) + else if (ofs + 1 < tcplen) next = ofs + smp->data.u.str.area[ofs + 1]; else break; @@ -790,10 +790,10 @@ static int sample_conv_ip_fp(const struct arg *arg_p, struct sample *smp, void * if (mode & 2) // mode & 2: append tcp.options_list trash->area[trash->data++] = opt; - if (opt == 2 /* MSS */) { + if (opt == 2 && (ofs + 3 < tcplen) /* MSS value starts at ofs + 2 and is 2 Bytes long */) { tcpmss = read_n16(smp->data.u.str.area + ofs + 2); } - else if (opt == 3 /* WS */) { + else if (opt == 3 && (ofs + 2 < tcplen) /* WS value 1 Byte is at ofs + 2) { tcpws = (uchar)smp->data.u.str.area[ofs + 2]; /* output from 1 to 15, thus 0=not found */ tcpws = tcpws > 14 ? 15 : tcpws + 1;