From: Emeric Brun Date: Wed, 25 Mar 2026 16:39:21 +0000 (+0100) Subject: BUG/MINOR: net_helper: fix length controls on ip.fp tcp options parsing X-Git-Tag: v3.4-dev8~89 X-Git-Url: http://git.ipfire.org/gitweb.cgi?a=commitdiff_plain;h=a336c467a04ab8fc7441d01b4004fb28ce1921f0;p=thirdparty%2Fhaproxy.git BUG/MINOR: net_helper: fix length controls on ip.fp tcp options parsing If opt len is truncated by tcplen we may read 1 Byte after the tcp header. There is also missing controls parsing MSS and WS we may compute invalid values on fingerprint reading after the tcp header in case of truncated options. This patch should be backported on versions including ip.fp --- diff --git a/src/net_helper.c b/src/net_helper.c index 949b0335f..8f19f8bb5 100644 --- a/src/net_helper.c +++ b/src/net_helper.c @@ -776,7 +776,7 @@ static int sample_conv_ip_fp(const struct arg *arg_p, struct sample *smp, void * /* kind1 = NOP and is a single byte, others have a length field */ if (smp->data.u.str.area[ofs] == 1) next = ofs + 1; - else if (ofs + 1 <= tcplen) + else if (ofs + 1 < tcplen) next = ofs + smp->data.u.str.area[ofs + 1]; else break; @@ -790,10 +790,10 @@ static int sample_conv_ip_fp(const struct arg *arg_p, struct sample *smp, void * if (mode & 2) // mode & 2: append tcp.options_list trash->area[trash->data++] = opt; - if (opt == 2 /* MSS */) { + if (opt == 2 && (ofs + 3 < tcplen) /* MSS value starts at ofs + 2 and is 2 Bytes long */) { tcpmss = read_n16(smp->data.u.str.area + ofs + 2); } - else if (opt == 3 /* WS */) { + else if (opt == 3 && (ofs + 2 < tcplen) /* WS value 1 Byte is at ofs + 2) { tcpws = (uchar)smp->data.u.str.area[ofs + 2]; /* output from 1 to 15, thus 0=not found */ tcpws = tcpws > 14 ? 15 : tcpws + 1;