mirrors/haproxy
1
0
Fork 0
mirror of https://git.haproxy.org/git/haproxy.git/ synced 2026-03-14 19:41:33 +01:00
Code Issues Projects Releases Wiki Activity

BUG/MAJOR: quic: reject invalid token

Browse Source 
Token parsing code on INITIAL packet for the NEW_TOKEN format is not
robust enough and may even crash on some rare malformed packets.

This patch fixes this by adding a check on the expected length of the
received token. The packet is now rejected if the token does not match
QUIC_TOKEN_LEN. This check is legitimate as haproxy should only parse
tokens emitted by itself.

This issue has been introduced with the implementation of NEW_TOKEN
tokens parsing required for 0-RTT support.

This issue is assigned to CVE-2026-26081 report.

This must be backported up to 3.0.

Reported-by: Asim Viladi Oglu Manizada <manizada@pm.me>
This commit is contained in:
Amaury Denoyelle 2026-02-09 09:04:13 +01:00
parent d80f0143c9
commit 4aa974f949
1 changed files with 5 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

5
src/quic_token.c
View File

@ -129,6 +129,11 @@ int quic_token_check(struct quic_rx_packet *pkt,
goto err;
}
if (tokenlen != QUIC_TOKEN_LEN) {
TRACE_ERROR("invalid token length", QUIC_EV_CONN_LPKT, qc);
goto err;
}
/* Generate the AAD. */
aadlen = ipaddrcpy(aad, &dgram->saddr);
rand = token + tokenlen - QUIC_TOKEN_RAND_DLEN;