From: Frédéric Lécaille <flecaille@haproxy.com>
Date: Mon, 4 Jul 2022 07:54:58 +0000 (+0200)
Subject: BUG/MAJOR: mux_quic: fix invalid PROTOCOL_VIOLATION on POST data overlap
X-Git-Tag: v2.7-dev3~75
X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=a18c3339c8d8038377a7ba0a5d0f845924ec1490;p=thirdparty%2Fhaproxy.git

BUG/MAJOR: mux_quic: fix invalid PROTOCOL_VIOLATION on POST data overlap

Stream data reception is incorrect when dealing with a partially new
offset with some data already consumed out of the RX buffer. In this
case, data length is adjusted but not the data buffer. In most cases,
ncb_add() operation will be rejected as already stored data does not
correspond with the new inserted offset. This will result in an invalid
CONNECTION_CLOSE with PROTOCOL_VIOLATION.

To fix this, buffer pointer is advanced while the length is reduced.

This can be reproduced with a POST request and patching haproxy to call
qcc_recv() multiple times by copying a quic_stream frame with different
offsets.

Must be backported to 2.6.
---

diff --git a/src/mux_quic.c b/src/mux_quic.c
index ff0b8eab86..055c82d316 100644
--- a/src/mux_quic.c
+++ b/src/mux_quic.c
@@ -789,7 +789,10 @@ int qcc_recv(struct qcc *qcc, uint64_t id, uint64_t len, uint64_t offset,
 
 	TRACE_DEVEL("newly received offset", QMUX_EV_QCC_RECV|QMUX_EV_QCS_RECV, qcc->conn, qcs);
 	if (offset < qcs->rx.offset) {
-		len -= qcs->rx.offset - offset;
+		size_t diff = qcs->rx.offset - offset;
+
+		len -= diff;
+		data += diff;
 		offset = qcs->rx.offset;
 	}