upstream/haproxy
1
0
Fork 0
mirror of https://github.com/haproxy/haproxy.git synced 2026-03-08 17:10:42 -04:00
Code Issues Projects Releases Packages Wiki Activity Actions 6

BUG/MAJOR: qpack: unchecked length passed to huffman decoder

Browse source 
A call to huffman decoder function (huff_dec()) is made from qpack_decode_fs()
without checking the buffer length passed to this function, leading to OOB read
which can crash the process.

Thank you to Kamil Frankowicz for having reported this.

Must be backport as far as 2.6.
This commit is contained in:
Frederic Lecaille 2026-03-04 14:02:28 +01:00
parent 7315428615
commit e38b86e72c
1 changed files with 6 additions and 0 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

6
src/qpack-dec.c
View file

@ -421,6 +421,12 @@ int qpack_decode_fs(const unsigned char *raw, uint64_t len, struct buffer *tmp,
goto out;
}
if (len < length) {
qpack_debug_printf(stderr, "##ERR@%d\n", __LINE__);
ret = -QPACK_RET_TRUNCATED;
goto out;
}
qpack_debug_printf(stderr, " h=%d length=%llu", !!h, (unsigned long long)length);
if (h) {
char *trash;