From b21e08cbd275fc6da24d1f3f0ec54a96f318c751 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Fr=C3=A9d=C3=A9ric=20L=C3=A9caille?= Date: Tue, 7 Nov 2023 18:29:28 +0100 Subject: [PATCH] BUG/MEDIUM: quic: Possible crashes when sending too short Initial packets This may happen during handshakes when Handshake packets cannot be coalesced to a first Initial packet because of TX frame allocation failures (from qc_build_frms()). This leads too short (not padded) Initial packets to be sent. This is detected by a BUG_ON() in qc_send_ppkts(). To avoid this an Handshake packet without ack-eliciting frames which should have been built by qc_build_frms() is built. Must be backported as far as 2.6. --- src/quic_tx.c | 6 ++++++ 1 file changed, 6 insertions(+) diff --git a/src/quic_tx.c b/src/quic_tx.c index 5d343600d..0a0e4bc79 100644 --- a/src/quic_tx.c +++ b/src/quic_tx.c @@ -2283,11 +2283,17 @@ static int qc_do_build_pkt(unsigned char *pos, const unsigned char *end, end - pos, &len_frms, pos - beg, qel, qc)) { TRACE_PROTO("Not enough room", QUIC_EV_CONN_TXPKT, qc, NULL, NULL, &room); + if (padding) { + len_frms = 0; + goto comp_pkt_len; + } + if (!ack_frm_len && !qel->pktns->tx.pto_probe) goto no_room; } } + comp_pkt_len: /* Length (of the remaining data). Must not fail because, the buffer size * has been checked above. Note that we have reserved QUIC_TLS_TAG_LEN bytes * for the encryption tag. It must be taken into an account for the length