From: Frédéric Lécaille Date: Wed, 12 Apr 2023 18:49:29 +0000 (+0200) Subject: BUG/MINOR: quic: Possible wrapped values used as ACK tree purging limit. X-Git-Tag: v2.8-dev8~170 X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=9d68c6aaf696c7080ee32beb3e1b07a4c1aa2378;p=thirdparty%2Fhaproxy.git BUG/MINOR: quic: Possible wrapped values used as ACK tree purging limit. Add two missing checks not to substract too big values from another too little one. In this case the resulted wrapped huge values could be passed to the function which has to remove the last range of a tree of ACK ranges as encoded limit size not to go below, cancelling the ACK ranges deletion. The consequence could be that no ACK were sent. Must be backported to 2.6 and 2.7. --- diff --git a/src/quic_conn.c b/src/quic_conn.c index 372a73a5d7..50a562d097 100644 --- a/src/quic_conn.c +++ b/src/quic_conn.c @@ -7294,6 +7294,9 @@ static int quic_ack_frm_reduce_sz(struct quic_conn *qc, TRACE_ENTER(QUIC_EV_CONN_TXPKT, qc); ack_delay_sz = quic_int_getsize(ack_frm->tx_ack.ack_delay); + if (limit <= ack_delay_sz - 1) + goto leave; + /* A frame is made of 1 byte for the frame type. */ room = limit - ack_delay_sz - 1; if (!quic_rm_last_ack_ranges(qc, ack_frm->tx_ack.arngs, room)) @@ -7721,6 +7724,9 @@ static int qc_do_build_pkt(unsigned char *pos, const unsigned char *end, * This will be decided after having computed the ack-eliciting frames * to be added to this packet. */ + if (end - pos <= 1 + *pn_len) + goto no_room; + ack_frm_len = quic_ack_frm_reduce_sz(qc, &ack_frm, end - 1 - *pn_len - pos); if (!ack_frm_len) goto no_room;