RepoMirrors/haproxy
1
0
Fork 0
mirror of http://git.haproxy.org/git/haproxy.git/ synced 2024-12-16 00:14:31 +00:00
Code Issues Packages Projects Releases Wiki Activity

BUG/MINOR: quic: Wrong buffer length passed to generate_retry_token()

Browse Source 
After having consumed <i> bytes from <buf>, the remaining available room to be
passed to generate_retry_token() is sizeof(buf) - i.
This bug could be easily reproduced with quic-qo as client which chooses a random
value as ODCID length.
This commit is contained in:
Frédéric Lécaille 2022-03-23 14:09:09 +01:00 committed by Amaury Denoyelle
parent 0c3205a541
commit cc2764e7fe
1 changed files with 2 additions and 1 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

3
src/xprt_quic.c
View File

@ -4249,8 +4249,9 @@ static int send_retry(int fd, struct sockaddr_storage *addr,
i += scid.len;
/* token */
if (!(token_len = generate_retry_token(&buf[i], &buf[i] - buf, pkt)))
if (!(token_len = generate_retry_token(&buf[i], sizeof(buf) - i, pkt)))
return 1;
i += token_len;
/* token integrity tag */