From e25caa85da61b1097d169bc653549610288f59ab Mon Sep 17 00:00:00 2001 From: Jacquin Antoine Date: Wed, 15 Apr 2026 02:57:29 +0200 Subject: [PATCH] fix(ja4ebpf): remove double bswap16 on accept4 port The manual byte assembly (sa_buf[2]<<8 | sa_buf[3]) already produces a host-byte-order port value; __builtin_bswap16 was swapping it again, causing SSL events to use wrong source ports and preventing TLS/HTTP session correlation. Co-Authored-By: Claude Opus 4.6 --- services/ja4ebpf/bpf/uprobe_ssl.c | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/services/ja4ebpf/bpf/uprobe_ssl.c b/services/ja4ebpf/bpf/uprobe_ssl.c index 5f070b9..4ffd0e6 100644 --- a/services/ja4ebpf/bpf/uprobe_ssl.c +++ b/services/ja4ebpf/bpf/uprobe_ssl.c @@ -227,11 +227,11 @@ int kretprobe_accept4_exit(struct sys_exit_accept4_ctx *ctx) bpf_probe_read_user(sa_buf, sizeof(sa_buf), (void *)sockaddr_ptr); /* Extraire port (octets 2-3) et adresse IP (octets 4-7) */ - __u16 sin_port = (__u16)(sa_buf[2] << 8) | sa_buf[3]; /* network byte order */ - __u32 sin_addr = *(__u32 *)(sa_buf + 4); /* network byte order */ + __u16 sin_port = (__u16)(sa_buf[2] << 8) | sa_buf[3]; /* already host byte order (manual assembly) */ + __u32 sin_addr = *(__u32 *)(sa_buf + 4); /* network byte order (raw memory read) */ - __u32 src_ip = __builtin_bswap32(sin_addr); /* host byte order */ - __u16 src_port = __builtin_bswap16(sin_port); /* host byte order */ + __u32 src_ip = __builtin_bswap32(sin_addr); /* network → host byte order */ + __u16 src_port = sin_port; /* already host byte order */ __u32 fd = (__u32)new_fd; /* Peupler accept_map[{pid_tgid, fd}] */