BUG/MINOR: quic: Possible wrapped values used as ACK tree purging limit.

Add two missing checks not to substract too big values from another too little
one. In this case the resulted wrapped huge values could be passed to the function
which has to remove the last range of a tree of ACK ranges as encoded limit size
not to go below, cancelling the ACK ranges deletion. The consequence could be that
no ACK were sent.

Must be backported to 2.6 and 2.7.

diff --git a/src/quic_conn.c b/src/quic_conn.c
index 372a73a5d7e934b043341f1c33960b8744570e02..50a562d09719d8355c0a7d4540798a75b2f54b58 100644 (file)
--- a/src/quic_conn.c
+++ b/src/quic_conn.c
@@ -7294,6 +7294,9 @@ static int quic_ack_frm_reduce_sz(struct quic_conn *qc,
        TRACE_ENTER(QUIC_EV_CONN_TXPKT, qc);
 
        ack_delay_sz = quic_int_getsize(ack_frm->tx_ack.ack_delay);
+       if (limit <= ack_delay_sz - 1)
+               goto leave;
+
        /* A frame is made of 1 byte for the frame type. */
        room = limit - ack_delay_sz - 1;
        if (!quic_rm_last_ack_ranges(qc, ack_frm->tx_ack.arngs, room))
@@ -7721,6 +7724,9 @@ static int qc_do_build_pkt(unsigned char *pos, const unsigned char *end,
                 * This will be decided after having computed the ack-eliciting frames
                 * to be added to this packet.
                 */
+               if (end - pos <= 1 + *pn_len)
+                       goto no_room;
+
                ack_frm_len = quic_ack_frm_reduce_sz(qc, &ack_frm, end - 1 - *pn_len - pos);
                if (!ack_frm_len)
                        goto no_room;