RepoMirrors/haproxy
1
0
Fork 0
mirror of http://git.haproxy.org/git/haproxy.git/ synced 2024-12-15 16:04:37 +00:00
Code Issues Packages Projects Releases Wiki Activity

BUG/MINOR: quic: Possible crash in parse_retry_token()

Browse Source 
We must check the decoded length of this incoming data before copying into our
internal structure. This could lead to crashes.
Reproduced with such a packet captured from QUIC interop.
    {
	    0xc5, 0x00, 0x00, 0x00, 0x01, 0x12, 0xf2, 0x65,
		0x4d, 0x9d, 0x58, 0x90, 0x23, 0x7e, 0x67, 0xef,
		0xf8, 0xef, 0x5b, 0x87, 0x48, 0xbe, 0xde, 0x7a, /* corrupted byte: 0x11, */
		0x01, 0xdc, 0x41, 0xbf, 0xfb, 0x07, 0x39, 0x9f,
		0xfd, 0x96, 0x67, 0x5f, 0x58, 0x03, 0x57, 0x74,
		0xc7, 0x26, 0x00, 0x45, 0x25, 0xdc, 0x7f, 0xf1,
		0x22, 0x1d,
	}
This commit is contained in:
Frédéric Lécaille 2022-03-17 16:22:02 +01:00 committed by Amaury Denoyelle
parent e2a1c1b372
commit f1f812bfdb
1 changed files with 3 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

3
src/xprt_quic.c
View File

@ -4272,6 +4272,9 @@ static int parse_retry_token(const unsigned char *token, uint64_t token_len,
if (!quic_dec_int(&odcid_len, &token, token + token_len))
return 1;
if (odcid_len > QUIC_CID_MAXLEN)
return 1;
memcpy(odcid->data, token, odcid_len);
odcid->len = odcid_len;