From: Amaury Denoyelle <adenoyelle@haproxy.com>
Date: Tue, 24 May 2022 14:30:11 +0000 (+0200)
Subject: BUG/MINOR: h3: prevent overflow when parsing SETTINGS
X-Git-Tag: v2.6-dev12~129
X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=160507d0ba8d75392f631dc0ef0eecdf40c26719;p=thirdparty%2Fhaproxy.git

BUG/MINOR: h3: prevent overflow when parsing SETTINGS

h3_parse_settings_frm() read one byte after the frame payload. Fix the
parsing code. In most cases, this has no impact as we are inside an
allocated buffer but it could cause a segfault depending on the buffer
alignment.
---

diff --git a/src/h3.c b/src/h3.c
index 75ab2b8487..429325863b 100644
--- a/src/h3.c
+++ b/src/h3.c
@@ -352,7 +352,7 @@ static int h3_parse_settings_frm(struct h3c *h3c, const struct ncbuf *rxbuf, siz
 	buf = (const unsigned char *)ncb_head(rxbuf);
 	end = buf + flen;
 
-	while (buf <= end) {
+	while (buf < end) {
 		if (!quic_dec_int(&id, &buf, end) || !quic_dec_int(&value, &buf, end))
 			return 0;