From 129a351a3f566fb0d025dfa7fd74e21ea7ae6a91 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Fr=C3=A9d=C3=A9ric=20L=C3=A9caille?= <flecaille@haproxy.com>
Date: Thu, 31 Dec 2020 10:57:04 +0100
Subject: [PATCH] BUG/MINOR: quic: Wrong STREAM frames parsing.

After having re-read the RFC, we noticed there are two bugs in the STREAM
frame parser. When the OFF bit (0x04) in the frame type is not set
we must set the offset to 0 (it was not set at all). When the LEN bit (0x02)
is not set we must extend the length of the data field to the end of the packet
(it was not set at all).
---
 src/quic_frame.c | 19 +++++++++++++++----
 1 file changed, 15 insertions(+), 4 deletions(-)

diff --git a/src/quic_frame.c b/src/quic_frame.c
index 89640f334..d80eb5ac4 100644
--- a/src/quic_frame.c
+++ b/src/quic_frame.c
@@ -396,10 +396,21 @@ static int quic_parse_stream_frame(struct quic_frame *frm, struct quic_conn *qc,
 {
 	struct quic_stream *stream = &frm->stream;
 
-	if (!quic_dec_int(&stream->id, buf, end) ||
-	    ((frm->type & QUIC_STREAM_FRAME_OFF_BIT) && !quic_dec_int(&stream->offset, buf, end)) ||
-	    ((frm->type & QUIC_STREAM_FRAME_LEN_BIT) &&
-	     (!quic_dec_int(&stream->len, buf, end) || end - *buf < stream->len)))
+	if (!quic_dec_int(&stream->id, buf, end))
+		return 0;
+
+	/* Offset parsing */
+	if (!(frm->type & QUIC_STREAM_FRAME_OFF_BIT)) {
+		stream->offset = 0;
+	}
+	else if (!quic_dec_int(&stream->offset, buf, end))
+		return 0;
+
+	/* Length parsing */
+	if (!(frm->type & QUIC_STREAM_FRAME_LEN_BIT)) {
+		stream->len = end - *buf;
+	}
+	else if (!quic_dec_int(&stream->len, buf, end) || end - *buf < stream->len)
 		return 0;
 
 	stream->data = *buf;