fix(ebpf): fix SSL data capture bug at 4096-byte boundary
Fixed off-by-one error in uprobe_ssl.c where bpf_probe_read_user was called with `data_len & (MAX_SSL_DATA - 1)` mask, causing 0-byte read when data_len was exactly 4096 (4096 & 4095 = 0). This caused HTTP headers to be truncated when SSL_read returned exactly 4096 bytes, resulting in host header values like "p" instead of "platform". The fix removes the incorrect bitwise operation and uses data_len directly since it's already limited to MAX_SSL_DATA. Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
This commit is contained in:
Jacquin Antoine
@ -152,8 +152,10 @@ int uretprobe_ssl_read_exit(struct pt_regs *ctx)
|
||||
__u32 data_len = (retval > MAX_SSL_DATA) ? MAX_SSL_DATA : (__u32)retval;
|
||||
evt->data_len = data_len;
|
||||
|
||||
/* Copier depuis l'espace utilisateur */
|
||||
bpf_probe_read_user(evt->data, data_len & (MAX_SSL_DATA - 1), (void *)args->buf_ptr);
|
||||
/* Copier depuis l'espace utilisateur (data_len déjà limité à MAX_SSL_DATA) */
|
||||
if (data_len > 0) {
|
||||
bpf_probe_read_user(evt->data, data_len, (void *)args->buf_ptr);
|
||||
}
|
||||
|
||||
/* Retrouver les infos de connexion via ssl_ptr */
|
||||
struct ssl_conn_info *conn = bpf_map_lookup_elem(&ssl_conn_map, &args->ssl_ptr);
|
||||
@ -229,7 +231,10 @@ int uretprobe_ssl_write_exit(struct pt_regs *ctx)
|
||||
__u32 data_len = (retval > MAX_SSL_DATA) ? MAX_SSL_DATA : (__u32)retval;
|
||||
evt->data_len = data_len;
|
||||
|
||||
bpf_probe_read_user(evt->data, data_len & (MAX_SSL_DATA - 1), (void *)args->buf_ptr);
|
||||
/* Copier depuis l'espace utilisateur (data_len déjà limité à MAX_SSL_DATA) */
|
||||
if (data_len > 0) {
|
||||
bpf_probe_read_user(evt->data, data_len, (void *)args->buf_ptr);
|
||||
}
|
||||
|
||||
struct ssl_conn_info *conn = bpf_map_lookup_elem(&ssl_conn_map, &args->ssl_ptr);
|
||||
if (conn) {
|
||||
|
||||
Reference in New Issue
Block a user