mirror of
https://github.com/haproxy/haproxy.git
synced 2026-05-14 18:09:14 -04:00
BUG/MAJOR: net_helper: ip.fp infinite loop on malformed tcp options
Some checks are pending
Contrib / admin/halog/ (push) Waiting to run
Contrib / dev/flags/ (push) Waiting to run
Contrib / dev/haring/ (push) Waiting to run
Contrib / dev/hpack/ (push) Waiting to run
Contrib / dev/poll/ (push) Waiting to run
VTest / Generate Build Matrix (push) Waiting to run
VTest / (push) Blocked by required conditions
Windows / Windows, gcc, all features (push) Waiting to run
Some checks are pending
Contrib / admin/halog/ (push) Waiting to run
Contrib / dev/flags/ (push) Waiting to run
Contrib / dev/haring/ (push) Waiting to run
Contrib / dev/hpack/ (push) Waiting to run
Contrib / dev/poll/ (push) Waiting to run
VTest / Generate Build Matrix (push) Waiting to run
VTest / (push) Blocked by required conditions
Windows / Windows, gcc, all features (push) Waiting to run
A malformed tcp option with an option length set to 0 can cause an infinite loop on ip.fp converter. The patch also forces the computation to use an unsigned char to avoid a shift back during the parsing. This fix should be backported on all versions including the ip.fp converter.
This commit is contained in:
Emeric Brun
Willy Tarreau
parent
7e1cc0fcdb
commit
dbf471f99a
1 changed files with 2 additions and 2 deletions
|
|
@ -776,8 +776,8 @@ static int sample_conv_ip_fp(const struct arg *arg_p, struct sample *smp, void *
|
|||
/* kind1 = NOP and is a single byte, others have a length field */
|
||||
if (smp->data.u.str.area[ofs] == 1)
|
||||
next = ofs + 1;
|
||||
else if (ofs + 1 < tcplen)
|
||||
next = ofs + smp->data.u.str.area[ofs + 1];
|
||||
else if ((ofs + 1 < tcplen) && smp->data.u.str.area[ofs + 1]) /* optlen 0 will cause an infinite loop */
|
||||
next = ofs + (uchar)smp->data.u.str.area[ofs + 1];
|
||||
else
|
||||
break;
|
||||
|
||||
|
|
|
|||
Loading…
Reference in a new issue