From: Willy Tarreau <w@1wt.eu>
Date: Wed, 29 Apr 2026 07:31:27 +0000 (+0200)
Subject: BUG/MINOR: net_helper: fix out-of-bounds read in tcp_fullhdr_find_opt
X-Git-Tag: v3.4-dev10~5
X-Git-Url: http://www.kaiwu.me/postgresql/commit/static/gitweb.js?a=commitdiff_plain;h=9ed6a121a9ce0999fdfa1dc7d8a67eacc53d062b;p=haproxy.git

BUG/MINOR: net_helper: fix out-of-bounds read in tcp_fullhdr_find_opt

tcp_fullhdr_find_opt() reads smp->data.u.str.area[next + 1] without
checking that next + 1 < len. When the last byte of a TCP header's
options section (at index len - 1) contains an option type that is not
0 (EOL) and not 1 (NOP), the code reads one byte past the valid buffer,
which is an out-of-bounds read, which in practice is totally harmless
but should be fixed.

This can be backported where tcp_fullhdr_find_opt() was backported.
---

diff --git a/src/net_helper.c b/src/net_helper.c
index b4efd159d..4d842979c 100644
--- a/src/net_helper.c
+++ b/src/net_helper.c
@@ -446,7 +446,12 @@ static size_t tcp_fullhdr_find_opt(const struct sample *smp, uint8_t opt)
 		if (smp->data.u.str.area[next] == 0) // kind0=end of options
 			break;
 		/* kind1 = NOP and is a single byte, others have a length field */
-		next += (smp->data.u.str.area[next] == 1) ? 1 : smp->data.u.str.area[next + 1];
+		if (smp->data.u.str.area[next] == 1)
+			next++;
+		else if (next + 1 < len)
+			next += smp->data.u.str.area[next + 1];
+		else
+			break;
 		if (smp->data.u.str.area[curr] == opt && next <= len)
 			return curr;
 	}