BUG/MINOR: quic: Possible crash in parse_retry_token()

We must check the decoded length of this incoming data before copying into our
internal structure. This could lead to crashes.
Reproduced with such a packet captured from QUIC interop.
    {
	    0xc5, 0x00, 0x00, 0x00, 0x01, 0x12, 0xf2, 0x65,
		0x4d, 0x9d, 0x58, 0x90, 0x23, 0x7e, 0x67, 0xef,
		0xf8, 0xef, 0x5b, 0x87, 0x48, 0xbe, 0xde, 0x7a, /* corrupted byte: 0x11, */
		0x01, 0xdc, 0x41, 0xbf, 0xfb, 0x07, 0x39, 0x9f,
		0xfd, 0x96, 0x67, 0x5f, 0x58, 0x03, 0x57, 0x74,
		0xc7, 0x26, 0x00, 0x45, 0x25, 0xdc, 0x7f, 0xf1,
		0x22, 0x1d,
	}

diff --git a/src/xprt_quic.c b/src/xprt_quic.c
index 364b611d0ca25c1be6d4cbc81120dfddd7ab8108..6e2cc637bd4d9e5e43395834ae78de9ed5e3f851 100644 (file)
--- a/src/xprt_quic.c
+++ b/src/xprt_quic.c
@@ -4272,6 +4272,9 @@ static int parse_retry_token(const unsigned char *token, uint64_t token_len,
        if (!quic_dec_int(&odcid_len, &token, token + token_len))
                return 1;
 
+       if (odcid_len > QUIC_CID_MAXLEN)
+               return 1;
+
        memcpy(odcid->data, token, odcid_len);
        odcid->len = odcid_len;