GHSA-cc37-9q2j-3hfvHighCVSS 7.5
Netty: HAProxy SSL TLV parsing leaks retained slice on invalid TLV length
🔗 CVE IDs covered (1)
📋 Description
When decoding a PP2_TYPE_SSL TLV, HAProxyMessage.readNextTLV() first calls header.retainedSlice(header.readerIndex(), length) and only then reads the 1-byte client field and 4-byte verify field. If the attacker sets the TLV length below 5, the subsequent readByte/readInt throws IndexOutOfBoundsException. HAProxyMessageDecoder only catches HAProxyProtocolException around this call, so the IOOBE propagates and the retained slice on the pooled cumulation buffer is never released.
🎯 Affected products2
- maven/io.netty:netty-codec-haproxy:>= 4.2.0.Final, <= 4.2.14.Final
- maven/io.netty:netty-codec-haproxy:<= 4.1.134.Final