From: Frédéric Lécaille <flecaille@haproxy.com>
Date: Tue, 18 Apr 2023 12:42:40 +0000 (+0200)
Subject: BUG/MINOR: quic: Unchecked buffer length when building the token
X-Git-Tag: v2.8-dev8~80
X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=45662efb2f329ca2211e6c83d84257662b15cea5;p=thirdparty%2Fhaproxy.git

BUG/MINOR: quic: Unchecked buffer length when building the token

As server, an Initial does not contain a token but only the token length field
with zero as value. The remaining room was not checked before writting this field.

Must be backported to 2.6 and 2.7.
---

diff --git a/src/quic_conn.c b/src/quic_conn.c
index 86fcc1e0e4..10a2948a0e 100644
--- a/src/quic_conn.c
+++ b/src/quic_conn.c
@@ -7771,8 +7771,13 @@ static int qc_do_build_pkt(unsigned char *pos, const unsigned char *end,
 		goto no_room;
 
 	/* Encode the token length (0) for an Initial packet. */
-	if (pkt->type == QUIC_PACKET_TYPE_INITIAL)
+	if (pkt->type == QUIC_PACKET_TYPE_INITIAL) {
+		if (end <= pos)
+			goto no_room;
+
 		*pos++ = 0;
+	}
+
 	head_len = pos - beg;
 	/* Build an ACK frame if required. */
 	ack_frm_len = 0;