From: Willy Tarreau Date: Wed, 29 Apr 2026 07:31:56 +0000 (+0200) Subject: BUG/MINOR: net_helper: fix out-of-bounds read in sample_conv_tcp_options_list X-Git-Tag: v3.4-dev10~4 X-Git-Url: http://www.kaiwu.me/postgresql/commit/static/gitweb.js?a=commitdiff_plain;h=afa32223b1bc61e265f1017222c9b5614b38af15;p=haproxy.git BUG/MINOR: net_helper: fix out-of-bounds read in sample_conv_tcp_options_list sample_conv_tcp_options_list() uses 'ofs + 1 <= len' to check bounds before reading the option length field at area[ofs + 1]. When ofs + 1 equals len, this reads one byte past the valid buffer (valid indices are 0 to len-1). This is the same bug pattern as tcp_fullhdr_find_opt() fixed previously, and the impact is also almost inexistent. --- diff --git a/src/net_helper.c b/src/net_helper.c index 4d842979c..6b46bfe5e 100644 --- a/src/net_helper.c +++ b/src/net_helper.c @@ -606,7 +606,7 @@ static int sample_conv_tcp_options_list(const struct arg *arg_p, struct sample * /* kind1 = NOP and is a single byte, others have a length field */ if (smp->data.u.str.area[ofs] == 1) ofs++; - else if (ofs + 1 <= len) + else if (ofs + 1 < len) ofs += smp->data.u.str.area[ofs + 1]; else break;