From: Christopher Faulet <cfaulet@haproxy.com>
Date: Mon, 1 Jun 2026 13:25:32 +0000 (+0200)
Subject: BUG/MINOR: mux-spop: Fix possible off-by-one OOB read in spop_get_varint()
X-Git-Tag: v3.4.0~28
X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=4a540a4fb7b148a8d7d32a8b5434fc51e5dd6bcd;p=thirdparty%2Fhaproxy.git

BUG/MINOR: mux-spop: Fix possible off-by-one OOB read in spop_get_varint()

In spop_get_varint(), -1 is returned if there is not enough data in the
buffer to decode the variable integer. However a strict comparison agasint
b_data() was performed, which is wrong. A failure must be reported if the
index is greater or equal to b_data().

This patch must be backported as far as 3.2.
---

diff --git a/src/mux_spop.c b/src/mux_spop.c
index df2ca5f62..840fa3c9f 100644
--- a/src/mux_spop.c
+++ b/src/mux_spop.c
@@ -1033,7 +1033,7 @@ static __maybe_unused int spop_get_varint(const struct buffer *b, int o, uint64_
 	size_t idx = o;
 	int r;
 
-	if (idx > b_data(b))
+	if (idx >= b_data(b))
 		return -1;
 
 	p = (unsigned char *)b_peek(b, idx++);
@@ -1043,7 +1043,7 @@ static __maybe_unused int spop_get_varint(const struct buffer *b, int o, uint64_
 
 	r = 4;
 	do {
-		if (idx > b_data(b))
+		if (idx >= b_data(b))
 			return -1;
 		p = (unsigned char *)b_peek(b, idx++);
 		*i += (uint64_t)*p << r;