From: Amaury Denoyelle Date: Thu, 26 Jan 2023 15:03:45 +0000 (+0100) Subject: BUG/MINOR: h3: prevent hypothetical demux failure on int overflow X-Git-Tag: v2.8-dev5~166 X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=35d9053b6832c419f9a94ff331b5c495df1cde9d;p=thirdparty%2Fhaproxy.git BUG/MINOR: h3: prevent hypothetical demux failure on int overflow h3s stores the current demux frame type and length as a state info. It should be big enough to store a QUIC variable-length integer which is the maximum H3 frame type and size. Without this patch, there is a risk of integer overflow if H3 frame size is bigger than INT_MAX. This can typically causes demux state mismatch and demux frame error. However, no occurence has been found yet of this bug with the current implementation. This should be backported up to 2.6. --- diff --git a/src/h3.c b/src/h3.c index a214a22623..1572ac1b65 100644 --- a/src/h3.c +++ b/src/h3.c @@ -149,8 +149,8 @@ struct h3s { enum h3s_t type; enum h3s_st_req st_req; /* only used for request streams */ - int demux_frame_len; - int demux_frame_type; + uint64_t demux_frame_len; + uint64_t demux_frame_type; unsigned long long body_len; /* known request body length from content-length header if present */ unsigned long long data_len; /* total length of all parsed DATA */ @@ -1838,7 +1838,7 @@ static void h3_stats_inc_err_cnt(void *ctx, int err_code) h3_inc_err_cnt(h3c->prx_counters, err_code); } -static inline const char *h3_ft_str(int type) +static inline const char *h3_ft_str(uint64_t type) { switch (type) { case H3_FT_DATA: return "DATA"; @@ -1875,8 +1875,8 @@ static void h3_trace(enum trace_level level, uint64_t mask, chunk_appendf(&trace_buf, " qcs=%p(%llu)", qcs, (ull)qcs->id); if (h3s && h3s->demux_frame_type != H3_FT_UNINIT) { - chunk_appendf(&trace_buf, " h3s.dem=%s/%d", - h3_ft_str(h3s->demux_frame_type), h3s->demux_frame_len); + chunk_appendf(&trace_buf, " h3s.dem=%s/%llu", + h3_ft_str(h3s->demux_frame_type), (ull)h3s->demux_frame_len); } } }