BUG/MINOR: net_helper: fix out-of-bounds read in tcp_fullhdr_find_opt

tcp_fullhdr_find_opt() reads smp->data.u.str.area[next + 1] without
checking that next + 1 < len. When the last byte of a TCP header's
options section (at index len - 1) contains an option type that is not
0 (EOL) and not 1 (NOP), the code reads one byte past the valid buffer,
which is an out-of-bounds read, which in practice is totally harmless
but should be fixed.

This can be backported where tcp_fullhdr_find_opt() was backported.

diff --git a/src/net_helper.c b/src/net_helper.c
index b4efd159d19a3352bc44a514a4fd9eacdd099871..4d842979cb3c3e1f7ae4ba35839f52724a942fae 100644 (file)
--- a/src/net_helper.c
+++ b/src/net_helper.c
@@ -446,7 +446,12 @@ static size_t tcp_fullhdr_find_opt(const struct sample *smp, uint8_t opt)
                if (smp->data.u.str.area[next] == 0) // kind0=end of options
                        break;
                /* kind1 = NOP and is a single byte, others have a length field */
-               next += (smp->data.u.str.area[next] == 1) ? 1 : smp->data.u.str.area[next + 1];
+               if (smp->data.u.str.area[next] == 1)
+                       next++;
+               else if (next + 1 < len)
+                       next += smp->data.u.str.area[next + 1];
+               else
+                       break;
                if (smp->data.u.str.area[curr] == opt && next <= len)
                        return curr;
        }