From 40b24543332878877ce2fa06b642c0ae19a88240 Mon Sep 17 00:00:00 2001 From: Omkhar Arasaratnam <22666538+omkhar@users.noreply.github.com> Date: Thu, 2 Jul 2026 12:28:52 -0400 Subject: [PATCH] HttpSM.cc: fix SNI/Host check to compare full length, not just prefix --- src/proxy/http/HttpSM.cc | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/src/proxy/http/HttpSM.cc b/src/proxy/http/HttpSM.cc index b062e5bc723..0d5b616e02b 100644 --- a/src/proxy/http/HttpSM.cc +++ b/src/proxy/http/HttpSM.cc @@ -4566,7 +4566,8 @@ HttpSM::check_sni_host() Log::error("%s", error_bw_buffer.c_str()); this->t_state.client_connection_allowed = false; } - } else if (strncasecmp(host_name.data(), sni_value, host_len) != 0) { // Name mismatch + } else if (strlen(sni_value) != static_cast(host_len) || + strncasecmp(host_name.data(), sni_value, host_len) != 0) { // Name mismatch Warning("SNI/hostname mismatch sni=%s host=%.*s action=%s", sni_value, host_len, host_name.data(), action_value); SMDbg(dbg_ctl_ssl_sni, "SNI/hostname mismatch sni=%s host=%.*s action=%s", sni_value, host_len, host_name.data(), action_value);