From 1f435f031b80d04e82f70a8fdf814decf77a9f7e Mon Sep 17 00:00:00 2001 From: Amaury Denoyelle Date: Mon, 20 Apr 2026 09:21:08 +0200 Subject: [PATCH] BUG/MINOR: xprt_qstrm: reduce max record length check When trying to read QMux transport parameters frame, the record length is checked to ensure it is not bigger than the buffer size. The objective is to detect as soon as possible when receiving data that cannot be handled and to close the connection. In fact, this check is not accurate, as it did not take into account the size of the Record length field itself. This patch fixes the comparison by substracting with the size of the decoded varint. No need to backport. --- src/xprt_qstrm.c | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/src/xprt_qstrm.c b/src/xprt_qstrm.c index 218be34d6..c2b330fda 100644 --- a/src/xprt_qstrm.c +++ b/src/xprt_qstrm.c @@ -59,7 +59,7 @@ int conn_recv_qstrm(struct connection *conn, struct xprt_qstrm_ctx *ctx, int fla struct buffer *buf = &ctx->rxbuf; const unsigned char *pos, *old, *end; uint64_t rlen; - size_t ret; + size_t ret, rlen_sz = 0; if (!conn_ctrl_ready(conn)) goto fail; @@ -83,11 +83,11 @@ int conn_recv_qstrm(struct connection *conn, struct xprt_qstrm_ctx *ctx, int fla /* Read record length. */ if (!ctx->rxrlen) { - if (!b_quic_dec_int(&rlen, buf, NULL)) + if (!b_quic_dec_int(&rlen, buf, &rlen_sz)) goto not_ready; /* Reject too small or too big records. */ - if (!rlen || rlen > b_size(buf)) + if (!rlen || rlen > b_size(buf) - rlen_sz) goto fail; ctx->rxrlen = rlen;