code_public/ja4-platform
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

fix(ebpf): fix SSL data capture bug at 4096-byte boundary

Browse Source 
Fixed off-by-one error in uprobe_ssl.c where bpf_probe_read_user
was called with `data_len & (MAX_SSL_DATA - 1)` mask, causing
0-byte read when data_len was exactly 4096 (4096 & 4095 = 0).

This caused HTTP headers to be truncated when SSL_read returned
exactly 4096 bytes, resulting in host header values like "p"
instead of "platform".

The fix removes the incorrect bitwise operation and uses data_len
directly since it's already limited to MAX_SSL_DATA.

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
This commit is contained in:
Jacquin Antoine
2026-04-19 15:42:24 +02:00
parent 742f4420c0
commit b6735b3081
1 changed files with 8 additions and 3 deletions
Download Patch File Download Diff File Expand all files Collapse all files

11
services/ja4ebpf/bpf/uprobe_ssl.c
View File

@ -152,8 +152,10 @@ int uretprobe_ssl_read_exit(struct pt_regs *ctx)
__u32 data_len = (retval > MAX_SSL_DATA) ? MAX_SSL_DATA : (__u32)retval; __u32 data_len = (retval > MAX_SSL_DATA) ? MAX_SSL_DATA : (__u32)retval;
evt->data_len = data_len; evt->data_len = data_len;
/* Copier depuis l'espace utilisateur */ /* Copier depuis l'espace utilisateur (data_len déjà limité à MAX_SSL_DATA) */
bpf_probe_read_user(evt->data, data_len & (MAX_SSL_DATA - 1), (void *)args->buf_ptr); if (data_len > 0) {
bpf_probe_read_user(evt->data, data_len, (void *)args->buf_ptr);
}
/* Retrouver les infos de connexion via ssl_ptr */ /* Retrouver les infos de connexion via ssl_ptr */
struct ssl_conn_info *conn = bpf_map_lookup_elem(&ssl_conn_map, &args->ssl_ptr); struct ssl_conn_info *conn = bpf_map_lookup_elem(&ssl_conn_map, &args->ssl_ptr);
@ -229,7 +231,10 @@ int uretprobe_ssl_write_exit(struct pt_regs *ctx)
__u32 data_len = (retval > MAX_SSL_DATA) ? MAX_SSL_DATA : (__u32)retval; __u32 data_len = (retval > MAX_SSL_DATA) ? MAX_SSL_DATA : (__u32)retval;
evt->data_len = data_len; evt->data_len = data_len;
bpf_probe_read_user(evt->data, data_len & (MAX_SSL_DATA - 1), (void *)args->buf_ptr); /* Copier depuis l'espace utilisateur (data_len déjà limité à MAX_SSL_DATA) */
if (data_len > 0) {
bpf_probe_read_user(evt->data, data_len, (void *)args->buf_ptr);
}
struct ssl_conn_info *conn = bpf_map_lookup_elem(&ssl_conn_map, &args->ssl_ptr); struct ssl_conn_info *conn = bpf_map_lookup_elem(&ssl_conn_map, &args->ssl_ptr);
if (conn) { if (conn) {