]> git.kaiwu.me - haproxy.git/commit
projects / haproxy.git / commit
? search:
summary | shortlog | log | commit | commitdiff | tree
(parent: 9ed6a12) | patch
BUG/MINOR: net_helper: fix out-of-bounds read in sample_conv_tcp_options_list
authorWilly Tarreau <w@1wt.eu>
Wed, 29 Apr 2026 07:31:56 +0000 (09:31 +0200)
committerWilly Tarreau <w@1wt.eu>
Wed, 29 Apr 2026 13:11:44 +0000 (15:11 +0200)
commitafa32223b1bc61e265f1017222c9b5614b38af15
tree991a0bc62762591fe9f5d6ea926a8a92ae0095datree | snapshot
parent9ed6a121a9ce0999fdfa1dc7d8a67eacc53d062bcommit | diff
BUG/MINOR: net_helper: fix out-of-bounds read in sample_conv_tcp_options_list

sample_conv_tcp_options_list() uses 'ofs + 1 <= len' to check bounds
before reading the option length field at area[ofs + 1]. When ofs + 1
equals len, this reads one byte past the valid buffer (valid indices are
0 to len-1).

This is the same bug pattern as tcp_fullhdr_find_opt() fixed previously,
and the impact is also almost inexistent.
src/net_helper.c diff | blob | history
haproxy upstream