BUG/MINOR: h3: prevent overflow when parsing SETTINGS

h3_parse_settings_frm() read one byte after the frame payload. Fix the
parsing code. In most cases, this has no impact as we are inside an
allocated buffer but it could cause a segfault depending on the buffer
alignment.

diff --git a/src/h3.c b/src/h3.c
index 75ab2b8487c191a5f238c700f4edb718046ee6c5..429325863bc8b198a82d4d389d31c81682833706 100644 (file)
--- a/src/h3.c
+++ b/src/h3.c
@@ -352,7 +352,7 @@ static int h3_parse_settings_frm(struct h3c *h3c, const struct ncbuf *rxbuf, siz
        buf = (const unsigned char *)ncb_head(rxbuf);
        end = buf + flen;
 
-       while (buf <= end) {
+       while (buf < end) {
                if (!quic_dec_int(&id, &buf, end) || !quic_dec_int(&value, &buf, end))
                        return 0;