>> @@ -402,7 +402,7 @@ smp_fetch_req_ssl_ver(const struct arg *args, struct >> sample *smp, const char *kw >> if (bleft < 5) >> goto too_short; >> >> - version = (data[1] << 16) + data[2]; /* version: major, minor */ >> + version = (data[9] << 16) + data[10]; /* client hello version: major, >> minor */ >> msg_len = (data[3] << 8) + data[4]; /* record length */ > > See above ? we check for 5 bytes minimum because we didn't parse further > than data[4], and now we're reading data[10], so the test on bleft above > must be changed to bleft < 11. > > Can someone please check if the other patch referenced above has the same > bug?
Ouch, here's the original patch: http://marc.info/?l=haproxy&m=144431273015849&w=2 It does indeed bump this check to 11 bytes. Also, there is a third change in that path, where it touches bleft and data values (bleft -= 11; data += 11;) some lines below. The original patch does not work, at this point I'm not quite sure why. Both the the first and the third change in the original patch are necessary, is that correct? Thanks and sorry for the near-miss, Lukas
