BUG/MAJOR: net_helper: ip.fp infinite loop on malformed tcp options

A malformed tcp option with an option length set to 0 can cause
an infinite loop on ip.fp converter.

The patch also forces the computation to use an unsigned char to
avoid a shift back during the parsing.

This fix should be backported on all versions including the ip.fp
converter.

diff --git a/src/net_helper.c b/src/net_helper.c
index 5865a668fbbff3b300de03955911c00ea741728e..b4efd159d19a3352bc44a514a4fd9eacdd099871 100644 (file)
--- a/src/net_helper.c
+++ b/src/net_helper.c
@@ -776,8 +776,8 @@ static int sample_conv_ip_fp(const struct arg *arg_p, struct sample *smp, void *
                /* kind1 = NOP and is a single byte, others have a length field */
                if (smp->data.u.str.area[ofs] == 1)
                        next = ofs + 1;
-               else if (ofs + 1 < tcplen)
-                       next = ofs + smp->data.u.str.area[ofs + 1];
+               else if ((ofs + 1 < tcplen) && smp->data.u.str.area[ofs + 1]) /* optlen 0 will cause an infinite loop */
+                       next = ofs + (uchar)smp->data.u.str.area[ofs + 1];
                else
                        break;