RepoMirrors/haproxy
1
0
Fork 0
mirror of http://git.haproxy.org/git/haproxy.git/ synced 2025-02-21 13:16:57 +00:00
Code Issues Packages Projects Releases Wiki Activity

BUG/MINOR: quic: Unchecked buffer length when building the token

Browse Source 
As server, an Initial does not contain a token but only the token length field
with zero as value. The remaining room was not checked before writting this field.

Must be backported to 2.6 and 2.7.
This commit is contained in:
Frédéric Lécaille 2023-04-18 14:42:40 +02:00
parent 0ed94032b2
commit 45662efb2f
1 changed files with 6 additions and 1 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

7
src/quic_conn.c
View File

@ -7771,8 +7771,13 @@ static int qc_do_build_pkt(unsigned char *pos, const unsigned char *end,
goto no_room;
/* Encode the token length (0) for an Initial packet. */
if (pkt->type == QUIC_PACKET_TYPE_INITIAL)
if (pkt->type == QUIC_PACKET_TYPE_INITIAL) {
if (end <= pos)
goto no_room;
*pos++ = 0;
}
head_len = pos - beg;
/* Build an ACK frame if required. */
ack_frm_len = 0;