From 1359efdaf43dd4418031646c8f3d7a456c3a4570 Mon Sep 17 00:00:00 2001
From: netliomax25-code <netliomax25@gmail.com>
Date: Thu, 28 May 2026 12:33:10 +0530
Subject: [PATCH] fix out-of-bounds read in extractIPFromForwardedHeader on
 empty for= token

---
 src/envoy/http/service_control/handler_utils.cc      |  4 ++--
 src/envoy/http/service_control/handler_utils_test.cc | 10 ++++++++++
 2 files changed, 12 insertions(+), 2 deletions(-)

diff --git a/src/envoy/http/service_control/handler_utils.cc b/src/envoy/http/service_control/handler_utils.cc
index ffe7c9ec9..43178cd40 100644
--- a/src/envoy/http/service_control/handler_utils.cc
+++ b/src/envoy/http/service_control/handler_utils.cc
@@ -400,11 +400,11 @@ absl::StatusOr<std::string> extractIPFromForwardedHeader(
 
       // IPv2 address is wrapped with \"[]\".
       // Remove double quote.
-      if (ip[0] == '"' && ip[ip.size() - 1] == '"') {
+      if (ip.size() >= 2 && ip.front() == '"' && ip.back() == '"') {
         ip = ip.substr(1, ip.size() - 2);
       }
       // Remove [].
-      if (ip[0] == '[' && ip[ip.size() - 1] == ']') {
+      if (ip.size() >= 2 && ip.front() == '[' && ip.back() == ']') {
         ip = ip.substr(1, ip.size() - 2);
       }
       std::string ip_str(ip);
diff --git a/src/envoy/http/service_control/handler_utils_test.cc b/src/envoy/http/service_control/handler_utils_test.cc
index bbadc620a..87b867428 100644
--- a/src/envoy/http/service_control/handler_utils_test.cc
+++ b/src/envoy/http/service_control/handler_utils_test.cc
@@ -489,6 +489,16 @@ TEST(TestExtractIPFromForwardedHeader, WrongIpv4) {
   EXPECT_FALSE(extractIPFromForwardedHeader(headers).ok());
 }
 
+TEST(TestExtractIPFromForwardedHeader, EmptyForToken) {
+  Envoy::Http::TestRequestHeaderMapImpl headers{{"forwarded", "for="}};
+  EXPECT_FALSE(extractIPFromForwardedHeader(headers).ok());
+}
+
+TEST(TestExtractIPFromForwardedHeader, EmptyQuotedForToken) {
+  Envoy::Http::TestRequestHeaderMapImpl headers{{"forwarded", "for=\"\""}};
+  EXPECT_FALSE(extractIPFromForwardedHeader(headers).ok());
+}
+
 TEST(TestExtractIPFromForwardedHeader, WrongIpv6) {
   Envoy::Http::TestRequestHeaderMapImpl headers{
       {"forwarded", "for=\"[fe80::1%]\""}};