From cdcdc016cc19783610d953e04288d2a50689b43d Mon Sep 17 00:00:00 2001
From: Frederic Lecaille <flecaille@haproxy.com>
Date: Wed, 4 Mar 2026 17:30:08 +0100
Subject: [PATCH] BUG/MINOR: quic: fix OOB read in preferred_address transport
 parameter

This bug impacts only the QUIC backend. A QUIC server does receive
a server preferred address transport parameter.

In quic_transport_param_dec_pref_addr(), the boundary check for the
connection ID was inverted and incorrect. This could lead to an
out-of-bounds read during the following memcpy.

This patch fixes the comparison to ensure the buffer has enough input data
for both the CID and the mandatory Stateless Reset Token.

Thank you to Kamil Frankowicz for having reported this.

Must be backported to 3.3.
---
 src/quic_tp.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/src/quic_tp.c b/src/quic_tp.c
index 2c50b1281..309411af0 100644
--- a/src/quic_tp.c
+++ b/src/quic_tp.c
@@ -168,7 +168,7 @@ static int quic_transport_param_dec_pref_addr(struct tp_preferred_address *addr,
 
 	addr->cid.len = *(*buf)++;
 	if (addr->cid.len) {
-		if (end - sizeof(addr->stateless_reset_token) - *buf > addr->cid.len ||
+		if (end - *buf < addr->cid.len + sizeof(addr->stateless_reset_token) ||
 		    addr->cid.len > sizeof(addr->cid.data)) {
 			return 0;
 		}