HIGH 7.5

GHSA-cc37-9q2j-3hfv

Netty: HAProxy SSL TLV parsing leaks retained slice on invalid TLV length

Details

When decoding a PP2_TYPE_SSL TLV, HAProxyMessage.readNextTLV() first calls `header.retainedSlice(header.readerIndex(), length)` and only then reads the 1-byte client field and 4-byte verify field. If the attacker sets the TLV length below 5, the subsequent readByte/readInt throws IndexOutOfBoundsException. HAProxyMessageDecoder only catches HAProxyProtocolException around this call, so the IOOBE propagates and the retained slice on the pooled cumulation buffer is never released.

Are you affected?

Enter the version of the package you're using.

Affected packages

Maven / io.netty:netty-codec-haproxy

Introduced in: 4.2.0.Final Fixed in: 4.2.15.Final

Fix # pom.xml: bump <version>4.2.15.Final</version> for io.netty:netty-codec-haproxy

Maven / io.netty:netty-codec-haproxy

Introduced in: 0 Fixed in: 4.1.135.Final

Fix # pom.xml: bump <version>4.1.135.Final</version> for io.netty:netty-codec-haproxy

Details

Are you affected?

Affected packages

References