upstream/haproxy
1
0
Fork 0
mirror of https://github.com/haproxy/haproxy.git synced 2026-03-06 15:20:56 -05:00
Code Issues Projects Releases Packages Wiki Activity Actions 8

BUG/MINOR: quic: fix OOB read in preferred_address transport parameter

Browse source 
This bug impacts only the QUIC backend. A QUIC server does receive
a server preferred address transport parameter.

In quic_transport_param_dec_pref_addr(), the boundary check for the
connection ID was inverted and incorrect. This could lead to an
out-of-bounds read during the following memcpy.

This patch fixes the comparison to ensure the buffer has enough input data
for both the CID and the mandatory Stateless Reset Token.

Thank you to Kamil Frankowicz for having reported this.

Must be backported to 3.3.
This commit is contained in:
Frederic Lecaille 2026-03-04 17:30:08 +01:00
parent 54b614d2b5
commit cdcdc016cc
1 changed files with 1 additions and 1 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

2
src/quic_tp.c
View file

@ -168,7 +168,7 @@ static int quic_transport_param_dec_pref_addr(struct tp_preferred_address *addr,
addr->cid.len = *(*buf)++;
if (addr->cid.len) {
if (end - sizeof(addr->stateless_reset_token) - *buf > addr->cid.len ||
if (end - *buf < addr->cid.len + sizeof(addr->stateless_reset_token) ||
addr->cid.len > sizeof(addr->cid.data)) {
return 0;
}