fix(ja4ebpf): remove double bswap16 on accept4 port

The manual byte assembly (sa_buf[2]<<8 | sa_buf[3]) already produces a host-byte-order port value; __builtin_bswap16 was swapping it again, causing SSL events to use wrong source ports and preventing TLS/HTTP session correlation. Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
2026-04-15 02:57:29 +02:00
parent 61addc8cfa
commit e25caa85da
1 changed files with 4 additions and 4 deletions
--- a/services/ja4ebpf/bpf/uprobe_ssl.c
+++ b/services/ja4ebpf/bpf/uprobe_ssl.c
@ -227,11 +227,11 @@ int kretprobe_accept4_exit(struct sys_exit_accept4_ctx *ctx)
    bpf_probe_read_user(sa_buf, sizeof(sa_buf), (void *)sockaddr_ptr);

    /* Extraire port (octets 2-3) et adresse IP (octets 4-7) */
-    __u16 sin_port = (__u16)(sa_buf[2] << 8) | sa_buf[3];   /* network byte order */
-    __u32 sin_addr = *(__u32 *)(sa_buf + 4);                 /* network byte order */
+    __u16 sin_port = (__u16)(sa_buf[2] << 8) | sa_buf[3];   /* already host byte order (manual assembly) */
+    __u32 sin_addr = *(__u32 *)(sa_buf + 4);                 /* network byte order (raw memory read) */

-    __u32 src_ip   = __builtin_bswap32(sin_addr);            /* host byte order */
-    __u16 src_port = __builtin_bswap16(sin_port);            /* host byte order */
+    __u32 src_ip   = __builtin_bswap32(sin_addr);            /* network → host byte order */
+    __u16 src_port = sin_port;                               /* already host byte order */
    __u32 fd       = (__u32)new_fd;

    /* Peupler accept_map[{pid_tgid, fd}] */