From: Emeric Brun <ebrun@haproxy.com>
Date: Wed, 22 Apr 2026 12:45:09 +0000 (+0200)
Subject: BUG/MAJOR: net_helper: ip.fp infinite loop on malformed tcp options
X-Git-Url: http://git.ipfire.org/gitweb/?a=commitdiff_plain;h=dbf471f99a3ac7d8446da2b9ddf5cfcee77fddde;p=thirdparty%2Fhaproxy.git

BUG/MAJOR: net_helper: ip.fp infinite loop on malformed tcp options

A malformed tcp option with an option length set to 0 can cause
an infinite loop on ip.fp converter.

The patch also forces the computation to use an unsigned char to
avoid a shift back during the parsing.

This fix should be backported on all versions including the ip.fp
converter.
---

diff --git a/src/net_helper.c b/src/net_helper.c
index 5865a668f..b4efd159d 100644
--- a/src/net_helper.c
+++ b/src/net_helper.c
@@ -776,8 +776,8 @@ static int sample_conv_ip_fp(const struct arg *arg_p, struct sample *smp, void *
 		/* kind1 = NOP and is a single byte, others have a length field */
 		if (smp->data.u.str.area[ofs] == 1)
 			next = ofs + 1;
-		else if (ofs + 1 < tcplen)
-			next = ofs + smp->data.u.str.area[ofs + 1];
+		else if ((ofs + 1 < tcplen) && smp->data.u.str.area[ofs + 1]) /* optlen 0 will cause an infinite loop */
+			next = ofs + (uchar)smp->data.u.str.area[ofs + 1];
 		else
 			break;