mirrors/haproxy
1
0
Fork 0
mirror of https://git.haproxy.org/git/haproxy.git/ synced 2026-05-04 12:41:00 +02:00
Code Issues Projects Releases Wiki Activity

BUG/MINOR: xprt_qstrm: reduce max record length check

Browse Source 
When trying to read QMux transport parameters frame, the record length
is checked to ensure it is not bigger than the buffer size. The
objective is to detect as soon as possible when receiving data that
cannot be handled and to close the connection.

In fact, this check is not accurate, as it did not take into account the
size of the Record length field itself. This patch fixes the comparison
by substracting with the size of the decoded varint.

No need to backport.
This commit is contained in:
Amaury Denoyelle 2026-04-20 09:21:08 +02:00
parent bee81dc53c
commit 1f435f031b
1 changed files with 3 additions and 3 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

6
src/xprt_qstrm.c
View File

@ -59,7 +59,7 @@ int conn_recv_qstrm(struct connection *conn, struct xprt_qstrm_ctx *ctx, int fla
struct buffer *buf = &ctx->rxbuf;
const unsigned char *pos, *old, *end;
uint64_t rlen;
size_t ret;
size_t ret, rlen_sz = 0;
if (!conn_ctrl_ready(conn))
goto fail;
@ -83,11 +83,11 @@ int conn_recv_qstrm(struct connection *conn, struct xprt_qstrm_ctx *ctx, int fla
/* Read record length. */
if (!ctx->rxrlen) {
if (!b_quic_dec_int(&rlen, buf, NULL))
if (!b_quic_dec_int(&rlen, buf, &rlen_sz))
goto not_ready;
/* Reject too small or too big records. */
if (!rlen || rlen > b_size(buf))
if (!rlen || rlen > b_size(buf) - rlen_sz)
goto fail;
ctx->rxrlen = rlen;