BUG/MEDIUM: quic: Missing AEAD TAG check after removing header protection

author Frédéric Lécaille <flecaille@haproxy.com>

Mon, 8 Aug 2022 16:41:16 +0000 (18:41 +0200)

committer Frédéric Lécaille <flecaille@haproxy.com>

Mon, 8 Aug 2022 16:41:16 +0000 (18:41 +0200)
author Frédéric Lécaille <flecaille@haproxy.com>
Mon, 8 Aug 2022 16:41:16 +0000 (18:41 +0200)
committer Frédéric Lécaille <flecaille@haproxy.com>
Mon, 8 Aug 2022 16:41:16 +0000 (18:41 +0200)
diff --git a/src/xprt_quic.c b/src/xprt_quic.c

index 3705608485cb030bcfdae547ef84a480c751dee2..1589834f197acc853c9928ee8b4e97b6a335bb43 100644 (file)
--- a/src/xprt_quic.c
+++ b/src/xprt_quic.c
@@ -4628,6 +4628,11 @@ static inline int qc_try_rm_hp(struct quic_conn *qc,
  
                 /* The AAD includes the packet number field found at <pn>. */
                 pkt->aad_len = pn - beg + pkt->pnl;
+               if (pkt->len - pkt->aad_len < QUIC_TLS_TAG_LEN) {
+                       TRACE_PROTO("Too short packet", QUIC_EV_CONN_TRMHP, qc);
+                       goto err;
+               }
+
                 qpkt_trace = pkt;
         }
         else {
author	Frédéric Lécaille <flecaille@haproxy.com>
	Mon, 8 Aug 2022 16:41:16 +0000 (18:41 +0200)
committer	Frédéric Lécaille <flecaille@haproxy.com>
	Mon, 8 Aug 2022 16:41:16 +0000 (18:41 +0200)