From 7629f5d6709c539c6c9012949411281144c82f53 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Fr=C3=A9d=C3=A9ric=20L=C3=A9caille?= <flecaille@haproxy.com>
Date: Thu, 11 Aug 2022 18:54:26 +0200
Subject: [PATCH] BUG/MEDIUM: quic: Wrong use of <token_odcid> in
 qc_lsntr_pkt_rcv()

This commit was not complete:
  "BUG/MEDIUM: quic: Possible use of uninitialized <odcid>
variable in qc_lstnr_params_init()"
<token_odcid> should have been directly passed to qc_lstnr_params_init()
without dereferencing it to prevent haproxy to have new chances to crash!

Must be backported to 2.6.
---
 include/haproxy/quic_tp.h | 2 +-
 src/quic_tp.c             | 6 +++---
 src/xprt_quic.c           | 5 ++---
 3 files changed, 6 insertions(+), 7 deletions(-)

diff --git a/include/haproxy/quic_tp.h b/include/haproxy/quic_tp.h
index d6b7acc252..45124482fd 100644
--- a/include/haproxy/quic_tp.h
+++ b/include/haproxy/quic_tp.h
@@ -25,7 +25,7 @@ int qc_lstnr_params_init(struct quic_conn *qc,
                          const unsigned char *stateless_reset_token,
                          const unsigned char *dcid, size_t dcidlen,
                          const unsigned char *scid, size_t scidlen,
-                         const unsigned char *token_odcid, size_t token_odcidlen);
+                         const struct quic_cid *token_odcid);
 
 /* Dump <cid> transport parameter connection ID value if present (non null length).
  * Used only for debugging purposes.
diff --git a/src/quic_tp.c b/src/quic_tp.c
index 449f94e331..ca77289e3b 100644
--- a/src/quic_tp.c
+++ b/src/quic_tp.c
@@ -643,7 +643,7 @@ int qc_lstnr_params_init(struct quic_conn *qc,
                          const unsigned char *stateless_reset_token,
                          const unsigned char *dcid, size_t dcidlen,
                          const unsigned char *scid, size_t scidlen,
-                         const unsigned char *token_odcid, size_t token_odcidlen)
+                         const struct quic_cid *token_odcid)
 {
 	struct quic_transport_params *rx_params = &qc->rx.params;
 	struct tp_cid *odcid_param = &rx_params->original_destination_connection_id;
@@ -655,8 +655,8 @@ int qc_lstnr_params_init(struct quic_conn *qc,
 	       sizeof rx_params->stateless_reset_token);
 	/* Copy original_destination_connection_id transport parameter. */
 	if (token_odcid) {
-		memcpy(odcid_param->data, token_odcid, token_odcidlen);
-		odcid_param->len = token_odcidlen;
+		memcpy(odcid_param->data, token_odcid->data, token_odcid->len);
+		odcid_param->len = token_odcid->len;
 		/* Copy retry_source_connection_id transport parameter. */
 		memcpy(rx_params->retry_source_connection_id.data, dcid, dcidlen);
 		rx_params->retry_source_connection_id.len = dcidlen;
diff --git a/src/xprt_quic.c b/src/xprt_quic.c
index 83a1aacaae..7d7ba0bfbe 100644
--- a/src/xprt_quic.c
+++ b/src/xprt_quic.c
@@ -4725,8 +4725,7 @@ static struct quic_conn *qc_new_conn(const struct quic_version *qv, int ipv4,
 	if (server && !qc_lstnr_params_init(qc, &l->bind_conf->quic_params,
 	                                    icid->stateless_reset_token,
 	                                    dcid->data, dcid->len,
-	                                    qc->scid.data, qc->scid.len,
-	                                    token_odcid->data, token_odcid->len))
+	                                    qc->scid.data, qc->scid.len, token_odcid))
 		goto err;
 
 	if (qc_conn_alloc_ssl_ctx(qc) ||
@@ -5774,7 +5773,7 @@ static void qc_lstnr_pkt_rcv(unsigned char *buf, const unsigned char *end,
 	if (long_header) {
 		uint64_t len;
 		struct quic_cid odcid;
-		struct quic_cid *token_odcid = NULL; // ODCID received from client token
+		const struct quic_cid *token_odcid = NULL; // ODCID received from client token
 
 		TRACE_PROTO("long header packet received", QUIC_EV_CONN_LPKT, qc);
 		if (!quic_packet_read_long_header(&buf, end, pkt)) {