BUG/MINOR: mux-spop: Fix possible off-by-one OOB read in spop_get_varint()

In spop_get_varint(), -1 is returned if there is not enough data in the
buffer to decode the variable integer. However a strict comparison agasint
b_data() was performed, which is wrong. A failure must be reported if the
index is greater or equal to b_data().

This patch must be backported as far as 3.2.

diff --git a/src/mux_spop.c b/src/mux_spop.c
index df2ca5f6252945c41349742070627b71f455ff19..840fa3c9f0d8fb4f2462b648c0f007ca7506982a 100644 (file)
--- a/src/mux_spop.c
+++ b/src/mux_spop.c
@@ -1033,7 +1033,7 @@ static __maybe_unused int spop_get_varint(const struct buffer *b, int o, uint64_
        size_t idx = o;
        int r;
 
-       if (idx > b_data(b))
+       if (idx >= b_data(b))
                return -1;
 
        p = (unsigned char *)b_peek(b, idx++);
@@ -1043,7 +1043,7 @@ static __maybe_unused int spop_get_varint(const struct buffer *b, int o, uint64_
 
        r = 4;
        do {
-               if (idx > b_data(b))
+               if (idx >= b_data(b))
                        return -1;
                p = (unsigned char *)b_peek(b, idx++);
                *i += (uint64_t)*p << r;