From 45662efb2f329ca2211e6c83d84257662b15cea5 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Fr=C3=A9d=C3=A9ric=20L=C3=A9caille?= Date: Tue, 18 Apr 2023 14:42:40 +0200 Subject: [PATCH] BUG/MINOR: quic: Unchecked buffer length when building the token As server, an Initial does not contain a token but only the token length field with zero as value. The remaining room was not checked before writting this field. Must be backported to 2.6 and 2.7. --- src/quic_conn.c | 7 ++++++- 1 file changed, 6 insertions(+), 1 deletion(-) diff --git a/src/quic_conn.c b/src/quic_conn.c index 86fcc1e0e..10a2948a0 100644 --- a/src/quic_conn.c +++ b/src/quic_conn.c @@ -7771,8 +7771,13 @@ static int qc_do_build_pkt(unsigned char *pos, const unsigned char *end, goto no_room; /* Encode the token length (0) for an Initial packet. */ - if (pkt->type == QUIC_PACKET_TYPE_INITIAL) + if (pkt->type == QUIC_PACKET_TYPE_INITIAL) { + if (end <= pos) + goto no_room; + *pos++ = 0; + } + head_len = pos - beg; /* Build an ACK frame if required. */ ack_frm_len = 0;