From b6735b3081551b1592997d952fe272720111a6d0 Mon Sep 17 00:00:00 2001
From: Jacquin Antoine <antoine@arkel.fr>
Date: Sun, 19 Apr 2026 15:42:24 +0200
Subject: [PATCH] fix(ebpf): fix SSL data capture bug at 4096-byte boundary

Fixed off-by-one error in uprobe_ssl.c where bpf_probe_read_user
was called with `data_len & (MAX_SSL_DATA - 1)` mask, causing
0-byte read when data_len was exactly 4096 (4096 & 4095 = 0).

This caused HTTP headers to be truncated when SSL_read returned
exactly 4096 bytes, resulting in host header values like "p"
instead of "platform".

The fix removes the incorrect bitwise operation and uses data_len
directly since it's already limited to MAX_SSL_DATA.

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
---
 services/ja4ebpf/bpf/uprobe_ssl.c | 11 ++++++++---
 1 file changed, 8 insertions(+), 3 deletions(-)

diff --git a/services/ja4ebpf/bpf/uprobe_ssl.c b/services/ja4ebpf/bpf/uprobe_ssl.c
index 5af38bc..0aa6f32 100644
--- a/services/ja4ebpf/bpf/uprobe_ssl.c
+++ b/services/ja4ebpf/bpf/uprobe_ssl.c
@@ -152,8 +152,10 @@ int uretprobe_ssl_read_exit(struct pt_regs *ctx)
     __u32 data_len = (retval > MAX_SSL_DATA) ? MAX_SSL_DATA : (__u32)retval;
     evt->data_len = data_len;
 
-    /* Copier depuis l'espace utilisateur */
-    bpf_probe_read_user(evt->data, data_len & (MAX_SSL_DATA - 1), (void *)args->buf_ptr);
+    /* Copier depuis l'espace utilisateur (data_len déjà limité à MAX_SSL_DATA) */
+    if (data_len > 0) {
+        bpf_probe_read_user(evt->data, data_len, (void *)args->buf_ptr);
+    }
 
     /* Retrouver les infos de connexion via ssl_ptr */
     struct ssl_conn_info *conn = bpf_map_lookup_elem(&ssl_conn_map, &args->ssl_ptr);
@@ -229,7 +231,10 @@ int uretprobe_ssl_write_exit(struct pt_regs *ctx)
     __u32 data_len = (retval > MAX_SSL_DATA) ? MAX_SSL_DATA : (__u32)retval;
     evt->data_len = data_len;
 
-    bpf_probe_read_user(evt->data, data_len & (MAX_SSL_DATA - 1), (void *)args->buf_ptr);
+    /* Copier depuis l'espace utilisateur (data_len déjà limité à MAX_SSL_DATA) */
+    if (data_len > 0) {
+        bpf_probe_read_user(evt->data, data_len, (void *)args->buf_ptr);
+    }
 
     struct ssl_conn_info *conn = bpf_map_lookup_elem(&ssl_conn_map, &args->ssl_ptr);
     if (conn) {