mirrors/haproxy
1
0
Fork 0
mirror of https://git.haproxy.org/git/haproxy.git/ synced 2025-09-21 05:41:26 +02:00
Code Issues Projects Releases Wiki Activity

BUG/MEDIUM: quic: error checking buffer large enought to receive the retry tag

Browse Source 
Building a retry message, the offset of the tag was checked instead of the
remaining length into the buffer.

Must be backported as far as 2.6.
This commit is contained in:
Emeric Brun 2023-06-27 15:24:05 +02:00 committed by Amaury Denoyelle
parent e12e202f6a
commit f473eb7206
1 changed files with 1 additions and 1 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
src/quic_conn.c
View File

@ -6677,7 +6677,7 @@ static int send_retry(int fd, struct sockaddr_storage *addr,
i += token_len; i += token_len;
/* token integrity tag */ /* token integrity tag */
if ((&buf[i] - buf < QUIC_TLS_TAG_LEN) || if ((sizeof(buf) - i < QUIC_TLS_TAG_LEN) ||
!quic_tls_generate_retry_integrity_tag(pkt->dcid.data, !quic_tls_generate_retry_integrity_tag(pkt->dcid.data,
pkt->dcid.len, buf, i, qv)) { pkt->dcid.len, buf, i, qv)) {
TRACE_ERROR("quic_tls_generate_retry_integrity_tag() failed", QUIC_EV_CONN_TXPKT); TRACE_ERROR("quic_tls_generate_retry_integrity_tag() failed", QUIC_EV_CONN_TXPKT);