From f41dfc22b20b2b5c295e8d80e062b896e7153b88 Mon Sep 17 00:00:00 2001
From: Willy Tarreau <w@1wt.eu>
Date: Fri, 17 Mar 2023 16:40:09 +0100
Subject: [PATCH] BUG/MAJOR: qpack: fix possible read out of bounds in static
 table

CertiK Skyfall Team reported that passing an index greater than
QPACK_SHT_SIZE in a qpack instruction referencing a literal field
name with name reference or and indexed field line will cause a
read out of bounds that may crash the process, and confirmed that
this fix addresses the issue.

This needs to be backported as far as 2.5.
---
 src/qpack-dec.c | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/src/qpack-dec.c b/src/qpack-dec.c
index 2d8115645..a6e292327 100644
--- a/src/qpack-dec.c
+++ b/src/qpack-dec.c
@@ -335,7 +335,7 @@ int qpack_decode_fs(const unsigned char *raw, uint64_t len, struct buffer *tmp,
 				goto out;
 			}
 
-			if (static_tbl) {
+			if (static_tbl && index < QPACK_SHT_SIZE) {
 				name = qpack_sht[index].n;
 				value = qpack_sht[index].v;
 			}
@@ -370,7 +370,7 @@ int qpack_decode_fs(const unsigned char *raw, uint64_t len, struct buffer *tmp,
 				goto out;
 			}
 
-			if (static_tbl) {
+			if (static_tbl && index < QPACK_SHT_SIZE) {
 				name = qpack_sht[index].n;
 			}
 			else {