mirrors/haproxy
1
0
Fork 0
mirror of https://git.haproxy.org/git/haproxy.git/ synced 2025-09-21 13:51:26 +02:00
Code Issues Projects Releases Wiki Activity

BUG/MAJOR: qpack: fix possible read out of bounds in static table

Browse Source 
CertiK Skyfall Team reported that passing an index greater than
QPACK_SHT_SIZE in a qpack instruction referencing a literal field
name with name reference or and indexed field line will cause a
read out of bounds that may crash the process, and confirmed that
this fix addresses the issue.

This needs to be backported as far as 2.5.
This commit is contained in:
Willy Tarreau 2023-03-17 16:40:09 +01:00
parent 5b4e16ee2d
commit f41dfc22b2
1 changed files with 2 additions and 2 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

4
src/qpack-dec.c
View File

@ -335,7 +335,7 @@ int qpack_decode_fs(const unsigned char *raw, uint64_t len, struct buffer *tmp,
goto out;
}
if (static_tbl) {
if (static_tbl && index < QPACK_SHT_SIZE) {
name = qpack_sht[index].n;
value = qpack_sht[index].v;
}
@ -370,7 +370,7 @@ int qpack_decode_fs(const unsigned char *raw, uint64_t len, struct buffer *tmp,
goto out;
}
if (static_tbl) {
if (static_tbl && index < QPACK_SHT_SIZE) {
name = qpack_sht[index].n;
}
else {