From e38b86e72c0a587b6311a56d45cd8c22286d2c8f Mon Sep 17 00:00:00 2001 From: Frederic Lecaille Date: Wed, 4 Mar 2026 14:02:28 +0100 Subject: [PATCH] BUG/MAJOR: qpack: unchecked length passed to huffman decoder A call to huffman decoder function (huff_dec()) is made from qpack_decode_fs() without checking the buffer length passed to this function, leading to OOB read which can crash the process. Thank you to Kamil Frankowicz for having reported this. Must be backport as far as 2.6. --- src/qpack-dec.c | 6 ++++++ 1 file changed, 6 insertions(+) diff --git a/src/qpack-dec.c b/src/qpack-dec.c index 5798b0865..130815d6a 100644 --- a/src/qpack-dec.c +++ b/src/qpack-dec.c @@ -421,6 +421,12 @@ int qpack_decode_fs(const unsigned char *raw, uint64_t len, struct buffer *tmp, goto out; } + if (len < length) { + qpack_debug_printf(stderr, "##ERR@%d\n", __LINE__); + ret = -QPACK_RET_TRUNCATED; + goto out; + } + qpack_debug_printf(stderr, " h=%d length=%llu", !!h, (unsigned long long)length); if (h) { char *trash;