mirrors/haproxy
1
0
Fork 0
mirror of https://git.haproxy.org/git/haproxy.git/ synced 2025-08-07 07:37:02 +02:00
Code Issues Projects Releases Wiki Activity

BUG/MEDIUM: quic: Possible crashes when sending too short Initial packets

Browse Source 
This may happen during handshakes when Handshake packets cannot be coalesced
to a first Initial packet because of TX frame allocation failures (from
qc_build_frms()). This leads too short (not padded) Initial packets to be sent.
This is detected by a BUG_ON() in qc_send_ppkts().

To avoid this an Handshake packet without ack-eliciting frames which should have
been built by qc_build_frms() is built.

Must be backported as far as 2.6.
This commit is contained in:
Frédéric Lécaille 2023-11-07 18:29:28 +01:00
parent c78cb49a3b
commit b21e08cbd2
1 changed files with 6 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

6
src/quic_tx.c
View File

@ -2283,11 +2283,17 @@ static int qc_do_build_pkt(unsigned char *pos, const unsigned char *end,
end - pos, &len_frms, pos - beg, qel, qc)) { end - pos, &len_frms, pos - beg, qel, qc)) {
TRACE_PROTO("Not enough room", QUIC_EV_CONN_TXPKT, TRACE_PROTO("Not enough room", QUIC_EV_CONN_TXPKT,
qc, NULL, NULL, &room); qc, NULL, NULL, &room);
if (padding) {
len_frms = 0;
goto comp_pkt_len;
}
if (!ack_frm_len && !qel->pktns->tx.pto_probe) if (!ack_frm_len && !qel->pktns->tx.pto_probe)
goto no_room; goto no_room;
} }
} }
comp_pkt_len:
/* Length (of the remaining data). Must not fail because, the buffer size /* Length (of the remaining data). Must not fail because, the buffer size
* has been checked above. Note that we have reserved QUIC_TLS_TAG_LEN bytes * has been checked above. Note that we have reserved QUIC_TLS_TAG_LEN bytes
* for the encryption tag. It must be taken into an account for the length * for the encryption tag. It must be taken into an account for the length