BUG/MINOR: net_helper: fix out-of-bounds read in sample_conv_tcp_options_list

sample_conv_tcp_options_list() uses 'ofs + 1 <= len' to check bounds
before reading the option length field at area[ofs + 1]. When ofs + 1
equals len, this reads one byte past the valid buffer (valid indices are
0 to len-1).

This is the same bug pattern as tcp_fullhdr_find_opt() fixed previously,
and the impact is also almost inexistent.

diff --git a/src/net_helper.c b/src/net_helper.c
index 4d842979cb3c3e1f7ae4ba35839f52724a942fae..6b46bfe5e8ca221b5e3e8ee5e04461fe1c582e9c 100644 (file)
--- a/src/net_helper.c
+++ b/src/net_helper.c
@@ -606,7 +606,7 @@ static int sample_conv_tcp_options_list(const struct arg *arg_p, struct sample *
                /* kind1 = NOP and is a single byte, others have a length field */
                if (smp->data.u.str.area[ofs] == 1)
                        ofs++;
-               else if (ofs + 1 <= len)
+               else if (ofs + 1 < len)
                        ofs += smp->data.u.str.area[ofs + 1];
                else
                        break;