From 3122c75fd1f9a73a13ec533a4f313be0af1c5348 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Fr=C3=A9d=C3=A9ric=20L=C3=A9caille?= <flecaille@haproxy.com>
Date: Wed, 7 Sep 2022 15:06:52 +0200
Subject: [PATCH] BUG/MINOR: quic: Wrong connection ID to thread ID association

To work, quic_pin_cid_to_tid() must set cid[0] to a value with <target_id>
as <global.nbthread> modulo. For each integer n, (n - (n % m)) + d has always
d as modulo m (with d < m).

So, this statement seemed correct:

     cid[0] = cid[0] - (cid[0] % global.nbthread) + target_tid;

except when n wraps or when another modulo is applied to the addition result.
Here, for 8bit modulo arithmetic, if m does not divides 256, this cannot
works for values which wraps when we increment them by d.
For instance n=255 m=3 and d=1 the formula result is 0 (should be d).

To fix this, we first limit c[0] to 255 - <target_id> to prevent c[0] from wrapping.

Thank you to @esb for having reported this issue in GH #1855.

Must be backported to 2.6
---
 include/haproxy/xprt_quic.h | 1 +
 1 file changed, 1 insertion(+)

diff --git a/include/haproxy/xprt_quic.h b/include/haproxy/xprt_quic.h
index e84959ff4..589923808 100644
--- a/include/haproxy/xprt_quic.h
+++ b/include/haproxy/xprt_quic.h
@@ -225,6 +225,7 @@ static inline unsigned long quic_get_cid_tid(const unsigned char *cid)
  */
 static inline void quic_pin_cid_to_tid(unsigned char *cid, int target_tid)
 {
+	cid[0] = MIN(cid[0], 255 - target_tid);
 	cid[0] = cid[0] - (cid[0] % global.nbthread) + target_tid;
 }