From: Willy Tarreau <w@1wt.eu>
Date: Sun, 24 May 2026 16:14:50 +0000 (+0200)
Subject: BUG/MEDIUM: tcpcheck/spoe: bound the SPOP error code to valid values
X-Git-Tag: v3.4-dev14~56
X-Git-Url: http://git.ipfire.org/gitweb/index.cgi?a=commitdiff_plain;h=bbef74fb21c4a7af95f138476d4ce42c9e698a57;p=thirdparty%2Fhaproxy.git

BUG/MEDIUM: tcpcheck/spoe: bound the SPOP error code to valid values

tcpcheck_spop_expect_hello() stores the SPOA agent-supplied status-code
varint directly into check->code (signed short) without range validation.
The code is later used as an index into spop_err_reasons[100]. Let's
just replace invalid status codes with SPOP_ERR_UNKNOWN to avoid any
problem.

The SPOP tcp-check was introduced in 3.1 so this fix must be backported
to 3.2.
---

diff --git a/src/tcpcheck.c b/src/tcpcheck.c
index 7a756c1d2..2ab1b2bf2 100644
--- a/src/tcpcheck.c
+++ b/src/tcpcheck.c
@@ -834,6 +834,8 @@ enum tcpcheck_eval_ret tcpcheck_spop_expect_hello(struct check *check, struct tc
 					goto invalid_frame;
 				if (decode_varint(&ptr, end, &sz) == -1)
 					goto invalid_frame;
+				if (sz >= SPOP_ERR_ENTRIES)
+					sz = SPOP_ERR_UNKNOWN;
 				check->code = sz;
 			}