BUG/MINOR: quic: reject invalid max_udp_payload size

Add a checks on received max_udp_payload transport parameters. As defined per RFC 9000, values below 1200 are invalid, and thus the connection must be closed with TRANSPORT_PARAMETER_ERROR code. Prior to this patch, an invalid value was silently ignored. This should be backported up to 2.6. Note that is relies on previous patch "MINOR: quic: extend return value on TP parsing".
2025-05-16 06:38:03 +00:00 · 2025-05-06 18:01:32 +02:00 · 2025-05-06 18:01:32 +02:00 · 4bc7aa548a
commit 4bc7aa548a
parent ffabfb0fc3
1 changed files with 10 additions and 0 deletions
--- a/src/quic_tp.c
+++ b/src/quic_tp.c
@ -310,6 +310,16 @@ quic_transport_param_decode(struct quic_transport_params *p, int server,
 	case QUIC_TP_MAX_UDP_PAYLOAD_SIZE:
 		if (!quic_dec_int(&p->max_udp_payload_size, buf, end))
 			return QUIC_TP_DEC_ERR_TRUNC;
+
+		/* RFC 9000 18.2. Transport Parameter Definitions
+		 *
+		 * max_udp_payload_size (0x03): [...]
+		 * The default for this parameter is the maximum permitted UDP
+		 * payload of 65527. Values below 1200 are invalid.
+		 */
+		if (p->max_udp_payload_size < 1200)
+			return QUIC_TP_DEC_ERR_INVAL;
+
 		break;
 	case QUIC_TP_INITIAL_MAX_DATA:
 		if (!quic_dec_int(&p->initial_max_data, buf, end))