From cc2764e7fe725f35845e978ace5f7fadef1c695d Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Fr=C3=A9d=C3=A9ric=20L=C3=A9caille?= <flecaille@haproxy.com>
Date: Wed, 23 Mar 2022 14:09:09 +0100
Subject: [PATCH] BUG/MINOR: quic: Wrong buffer length passed to
 generate_retry_token()

After having consumed <i> bytes from <buf>, the remaining available room to be
passed to generate_retry_token() is sizeof(buf) - i.
This bug could be easily reproduced with quic-qo as client which chooses a random
value as ODCID length.
---
 src/xprt_quic.c | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/src/xprt_quic.c b/src/xprt_quic.c
index 9a1e9eb5c..d0beb500f 100644
--- a/src/xprt_quic.c
+++ b/src/xprt_quic.c
@@ -4249,8 +4249,9 @@ static int send_retry(int fd, struct sockaddr_storage *addr,
 	i += scid.len;
 
 	/* token */
-	if (!(token_len = generate_retry_token(&buf[i], &buf[i] - buf, pkt)))
+	if (!(token_len = generate_retry_token(&buf[i], sizeof(buf) - i, pkt)))
 		return 1;
+
 	i += token_len;
 
 	/* token integrity tag */