upstream/haproxy
1
0
Fork 0
mirror of https://github.com/haproxy/haproxy.git synced 2026-03-06 23:31:08 -05:00
Code Issues Projects Releases Packages Wiki Activity Actions 7

BUG/MINOR: qpack: fix 1-byte OOB read in qpack_decode_fs_pfx()

Browse source 
In qpack_decode_fs_pfx(), if the first qpack_get_varint() call
consumes the entire buffer, the code would perform a 1-byte
out-of-bounds read when accessing the sign bit via **raw.

This patch adds an explicit length check at the beginning of
qpack_get_varint(), which systematically secures all other callers
against empty inputs. It also adds a necessary check before the
second varint call in qpack_decode_fs_pfx() to ensure data is still
available before dereferencing the pointer to extract the sign bit,
returning QPACK_RET_TRUNCATED if the buffer is exhausted.

Thank you to Kamil Frankowicz for having reported this.

Must be backported as far as 2.6.
This commit is contained in:
Frederic Lecaille 2026-03-04 14:10:49 +01:00
parent e38b86e72c
commit 54b614d2b5
1 changed files with 10 additions and 0 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

10
src/qpack-dec.c
View file

@ -65,6 +65,9 @@ static uint64_t qpack_get_varint(const unsigned char **buf, uint64_t *len_in, in
const uint8_t *raw = *buf;
uint8_t shift = 0;
if (len == 0)
goto too_short;
len--;
ret = *raw++ & ((1ULL << b) - 1);
if (ret != (uint64_t)((1ULL << b) - 1))
@ -220,6 +223,13 @@ static int qpack_decode_fs_pfx(uint64_t *enc_ric, uint64_t *db, int *sign_bit,
if (*len == (uint64_t)-1)
return -QPACK_RET_RIC;
/* Ensure at least one byte remains for the sign bit
* and the start of the Delta Base varint.
*/
if (!*len)
return -QPACK_RET_TRUNCATED;
/* Safe access to the sign bit thanks to the check above */
*sign_bit = **raw & 0x8;
*db = qpack_get_varint(raw, len, 7);
if (*len == (uint64_t)-1)