BUG/MEDIUM: quic: Wrong use of <token_odcid> in qc_lsntr_pkt_rcv()

This commit was not complete: "BUG/MEDIUM: quic: Possible use of uninitialized <odcid> variable in qc_lstnr_params_init()" <token_odcid> should have been directly passed to qc_lstnr_params_init() without dereferencing it to prevent haproxy to have new chances to crash! Must be backported to 2.6.
2022-08-11 18:54:26 +02:00 · 2022-08-11 18:54:26 +02:00 · 7629f5d670
parent 18d1306abd
commit 7629f5d670
3 changed files with 6 additions and 7 deletions
--- a/include/haproxy/quic_tp.h
+++ b/include/haproxy/quic_tp.h
@ -25,7 +25,7 @@ int qc_lstnr_params_init(struct quic_conn *qc,
                         const unsigned char *stateless_reset_token,
                         const unsigned char *dcid, size_t dcidlen,
                         const unsigned char *scid, size_t scidlen,
-                         const unsigned char *token_odcid, size_t token_odcidlen);
+                         const struct quic_cid *token_odcid);

 /* Dump <cid> transport parameter connection ID value if present (non null length).
 * Used only for debugging purposes.
--- a/src/quic_tp.c
+++ b/src/quic_tp.c
@ -643,7 +643,7 @@ int qc_lstnr_params_init(struct quic_conn *qc,
                         const unsigned char *stateless_reset_token,
                         const unsigned char *dcid, size_t dcidlen,
                         const unsigned char *scid, size_t scidlen,
-                         const unsigned char *token_odcid, size_t token_odcidlen)
+                         const struct quic_cid *token_odcid)
 {
 	struct quic_transport_params *rx_params = &qc->rx.params;
 	struct tp_cid *odcid_param = &rx_params->original_destination_connection_id;
@ -655,8 +655,8 @@ int qc_lstnr_params_init(struct quic_conn *qc,
 	       sizeof rx_params->stateless_reset_token);
 	/* Copy original_destination_connection_id transport parameter. */
 	if (token_odcid) {
-		memcpy(odcid_param->data, token_odcid, token_odcidlen);
-		odcid_param->len = token_odcidlen;
+		memcpy(odcid_param->data, token_odcid->data, token_odcid->len);
+		odcid_param->len = token_odcid->len;
 		/* Copy retry_source_connection_id transport parameter. */
 		memcpy(rx_params->retry_source_connection_id.data, dcid, dcidlen);
 		rx_params->retry_source_connection_id.len = dcidlen;
--- a/src/xprt_quic.c
+++ b/src/xprt_quic.c
@ -4725,8 +4725,7 @@ static struct quic_conn *qc_new_conn(const struct quic_version *qv, int ipv4,
 	if (server && !qc_lstnr_params_init(qc, &l->bind_conf->quic_params,
 	                                    icid->stateless_reset_token,
 	                                    dcid->data, dcid->len,
-	                                    qc->scid.data, qc->scid.len,
-	                                    token_odcid->data, token_odcid->len))
+	                                    qc->scid.data, qc->scid.len, token_odcid))
 		goto err;

 	if (qc_conn_alloc_ssl_ctx(qc) ||
@ -5774,7 +5773,7 @@ static void qc_lstnr_pkt_rcv(unsigned char *buf, const unsigned char *end,
 	if (long_header) {
 		uint64_t len;
 		struct quic_cid odcid;
-		struct quic_cid *token_odcid = NULL; // ODCID received from client token
+		const struct quic_cid *token_odcid = NULL; // ODCID received from client token

 		TRACE_PROTO("long header packet received", QUIC_EV_CONN_LPKT, qc);
 		if (!quic_packet_read_long_header(&buf, end, pkt)) {