BUG/MAJOR: net_helper: also fix tcp_options_list for OOB write loop

The exact same issue that was fixed for ip.fp with commit dbf471f99a
("BUG/MAJOR: net_helper: ip.fp infinite loop on malformed tcp options")
also exists for tcp_options_list: an option with a zero size will prevent
the offset from making any progress and will loop forever. In this case,
since we produce output, trash->data gets incremented on each loop and
the byte at ofs is used to fill the memory there, quickly overflowing the
area.

The exact same fix as above was applied here again, including the uchar
cast to make sure we don't go back-and-forth between two positions.

Such TCP options are not valid and will not be reported by the TCP stack,
however they can happen in case options are passed in headers by a first
proxy, or are offered in a return directive fed from a query string as a
means of providing a debugging tool for admins.

Thanks to Omkhar Arasaratnam for reporting this issue.

This fix must be backported to 3.2 where the commits above were
backported.

diff --git a/src/net_helper.c b/src/net_helper.c
index e71abd9b0cae0f4f872c92f68aa53ef7c931a849..84e6b86d86f602fcf0b8d705e281dd13c3466598 100644 (file)
--- a/src/net_helper.c
+++ b/src/net_helper.c
@@ -605,8 +605,8 @@ static int sample_conv_tcp_options_list(const struct arg *arg_p, struct sample *
                /* kind1 = NOP and is a single byte, others have a length field */
                if (smp->data.u.str.area[ofs] == 1)
                        ofs++;
-               else if (ofs + 1 < len)
-                       ofs += smp->data.u.str.area[ofs + 1];
+               else if (ofs + 1 < len && smp->data.u.str.area[ofs + 1])
+                       ofs += (uchar)smp->data.u.str.area[ofs + 1];
                else
                        break;
        }