BUG/MEDIUM: quic: Wrong use of <token_odcid> in qc_lsntr_pkt_rcv()

This commit was not complete:
  "BUG/MEDIUM: quic: Possible use of uninitialized <odcid>
variable in qc_lstnr_params_init()"
<token_odcid> should have been directly passed to qc_lstnr_params_init()
without dereferencing it to prevent haproxy to have new chances to crash!

Must be backported to 2.6.

diff --git a/include/haproxy/quic_tp.h b/include/haproxy/quic_tp.h
index d6b7acc2523aa233f20bdbe76b0a1fbc681b12d3..45124482fd1a96dcabe75b441f1242428c37ea35 100644 (file)
--- a/include/haproxy/quic_tp.h
+++ b/include/haproxy/quic_tp.h
@@ -25,7 +25,7 @@ int qc_lstnr_params_init(struct quic_conn *qc,
                          const unsigned char *stateless_reset_token,
                          const unsigned char *dcid, size_t dcidlen,
                          const unsigned char *scid, size_t scidlen,
-                         const unsigned char *token_odcid, size_t token_odcidlen);
+                         const struct quic_cid *token_odcid);
 
 /* Dump <cid> transport parameter connection ID value if present (non null length).
  * Used only for debugging purposes.

diff --git a/src/quic_tp.c b/src/quic_tp.c
index 449f94e331fdfccafd208c3f0e8eba2192f642e4..ca77289e3bd082fdaff5bc4524767e919a05ca81 100644 (file)
--- a/src/quic_tp.c
+++ b/src/quic_tp.c
@@ -643,7 +643,7 @@ int qc_lstnr_params_init(struct quic_conn *qc,
                          const unsigned char *stateless_reset_token,
                          const unsigned char *dcid, size_t dcidlen,
                          const unsigned char *scid, size_t scidlen,
-                         const unsigned char *token_odcid, size_t token_odcidlen)
+                         const struct quic_cid *token_odcid)
 {
        struct quic_transport_params *rx_params = &qc->rx.params;
        struct tp_cid *odcid_param = &rx_params->original_destination_connection_id;
@@ -655,8 +655,8 @@ int qc_lstnr_params_init(struct quic_conn *qc,
               sizeof rx_params->stateless_reset_token);
        /* Copy original_destination_connection_id transport parameter. */
        if (token_odcid) {
-               memcpy(odcid_param->data, token_odcid, token_odcidlen);
-               odcid_param->len = token_odcidlen;
+               memcpy(odcid_param->data, token_odcid->data, token_odcid->len);
+               odcid_param->len = token_odcid->len;
                /* Copy retry_source_connection_id transport parameter. */
                memcpy(rx_params->retry_source_connection_id.data, dcid, dcidlen);
                rx_params->retry_source_connection_id.len = dcidlen;

diff --git a/src/xprt_quic.c b/src/xprt_quic.c
index 83a1aacaaed4e63116942a2483f8d6c8f7cc6dde..7d7ba0bfbebd7f0aee034e5a8cf59cbb011726f4 100644 (file)
--- a/src/xprt_quic.c
+++ b/src/xprt_quic.c
@@ -4725,8 +4725,7 @@ static struct quic_conn *qc_new_conn(const struct quic_version *qv, int ipv4,
        if (server && !qc_lstnr_params_init(qc, &l->bind_conf->quic_params,
                                            icid->stateless_reset_token,
                                            dcid->data, dcid->len,
-                                           qc->scid.data, qc->scid.len,
-                                           token_odcid->data, token_odcid->len))
+                                           qc->scid.data, qc->scid.len, token_odcid))
                goto err;
 
        if (qc_conn_alloc_ssl_ctx(qc) ||
@@ -5774,7 +5773,7 @@ static void qc_lstnr_pkt_rcv(unsigned char *buf, const unsigned char *end,
        if (long_header) {
                uint64_t len;
                struct quic_cid odcid;
-               struct quic_cid *token_odcid = NULL; // ODCID received from client token
+               const struct quic_cid *token_odcid = NULL; // ODCID received from client token
 
                TRACE_PROTO("long header packet received", QUIC_EV_CONN_LPKT, qc);
                if (!quic_packet_read_long_header(&buf, end, pkt)) {