From 3ef84c6166e169cbcc1fcb6e5d288f63d99f6afd Mon Sep 17 00:00:00 2001
From: Claude <developers@lethean.io>
Date: Thu, 2 Apr 2026 14:20:39 +0100
Subject: [PATCH] ax(ueps): guard tagValue index access against zero-length TLV
 values

A malformed frame with length 0 for any single-byte tag (TagVersion,
TagCurrentLayer, TagTargetLayer, TagIntent) or fewer than 2 bytes for
TagThreatScore caused a runtime panic (index out of range) on untrusted
input. Added len(tagValue) bounds checks in ReadAndVerify before each
tagValue[0] and Uint16 access to eliminate the panic path.

Co-Authored-By: Charon <charon@lethean.io>
---
 pkg/ueps/reader.go | 20 +++++++++++++++-----
 1 file changed, 15 insertions(+), 5 deletions(-)

diff --git a/pkg/ueps/reader.go b/pkg/ueps/reader.go
index 23f91bd..04a132e 100644
--- a/pkg/ueps/reader.go
+++ b/pkg/ueps/reader.go
@@ -61,15 +61,25 @@ func ReadAndVerify(reader *bufio.Reader, sharedSecret []byte) (*ParsedPacket, er
 
 		switch tagType {
 		case TagVersion:
-			packetHeader.Version = tagValue[0]
+			if len(tagValue) >= 1 {
+				packetHeader.Version = tagValue[0]
+			}
 		case TagCurrentLayer:
-			packetHeader.CurrentLayer = tagValue[0]
+			if len(tagValue) >= 1 {
+				packetHeader.CurrentLayer = tagValue[0]
+			}
 		case TagTargetLayer:
-			packetHeader.TargetLayer = tagValue[0]
+			if len(tagValue) >= 1 {
+				packetHeader.TargetLayer = tagValue[0]
+			}
 		case TagIntent:
-			packetHeader.IntentID = tagValue[0]
+			if len(tagValue) >= 1 {
+				packetHeader.IntentID = tagValue[0]
+			}
 		case TagThreatScore:
-			packetHeader.ThreatScore = binary.BigEndian.Uint16(tagValue)
+			if len(tagValue) >= 2 {
+				packetHeader.ThreatScore = binary.BigEndian.Uint16(tagValue)
+			}
 		case TagHMAC:
 			hmacSignature = tagValue
 		}