From d79774ee274bf6b67b976a1ca5edc73759d12404 Mon Sep 17 00:00:00 2001
From: Nikola Grcevski <6207777+grcevski@users.noreply.github.com>
Date: Fri, 11 Oct 2024 19:57:18 -0400
Subject: [PATCH] Fix off by one error with kafka parsing (#1253)

---
 pkg/internal/ebpf/common/kafka_detect_transform.go      | 2 +-
 pkg/internal/ebpf/common/kafka_detect_transform_test.go | 9 +++++++++
 2 files changed, 10 insertions(+), 1 deletion(-)

diff --git a/pkg/internal/ebpf/common/kafka_detect_transform.go b/pkg/internal/ebpf/common/kafka_detect_transform.go
index dbcd0e705..b6b9fa1ca 100644
--- a/pkg/internal/ebpf/common/kafka_detect_transform.go
+++ b/pkg/internal/ebpf/common/kafka_detect_transform.go
@@ -253,7 +253,7 @@ func getTopicNameSize(pkt []byte, offset int, op Operation, apiVersion int16) (i
 		if err != nil {
 			return 0, err
 		}
-	} else if offset < len(pkt) {
+	} else if offset < (len(pkt) - 1) { // we need at least 2 bytes to read uint16
 		topicNameSize = int(binary.BigEndian.Uint16(pkt[offset:]))
 	}
 	if topicNameSize <= 0 {
diff --git a/pkg/internal/ebpf/common/kafka_detect_transform_test.go b/pkg/internal/ebpf/common/kafka_detect_transform_test.go
index 96512a80f..d42a0a311 100644
--- a/pkg/internal/ebpf/common/kafka_detect_transform_test.go
+++ b/pkg/internal/ebpf/common/kafka_detect_transform_test.go
@@ -13,6 +13,15 @@ func TestProcessKafkaRequest(t *testing.T) {
 		input    []byte
 		expected *KafkaInfo
 	}{
+		{
+			name:  "Fetch request (v11) truncated - 1",
+			input: []byte{0, 0, 0, 94, 0, 1, 0, 11, 0, 0, 0, 224, 0, 6, 115, 97, 114, 97, 109, 97, 255, 255, 255, 255, 0, 0, 1, 244, 0, 0, 0, 1, 6, 64, 0, 0, 0, 0, 0, 0, 0, 255, 255, 255, 255, 0, 0, 0, 1, 0},
+			expected: &KafkaInfo{
+				ClientID:    "sarama",
+				Operation:   Fetch,
+				TopicOffset: 45,
+			},
+		},
 		{
 			name:  "Fetch request (v11) truncated",
 			input: []byte{0, 0, 0, 94, 0, 1, 0, 11, 0, 0, 0, 224, 0, 6, 115, 97, 114, 97, 109, 97, 255, 255, 255, 255, 0, 0, 1, 244, 0, 0, 0, 1, 6, 64, 0, 0, 0, 0, 0, 0, 0, 255, 255, 255, 255, 0, 0, 0, 1},