From: Frédéric Lécaille <flecaille@haproxy.com>
Date: Tue, 7 Nov 2023 17:29:28 +0000 (+0100)
Subject: BUG/MEDIUM: quic: Possible crashes when sending too short Initial packets
X-Git-Tag: v2.9-dev10~122
X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=b21e08cbd275fc6da24d1f3f0ec54a96f318c751;p=thirdparty%2Fhaproxy.git

BUG/MEDIUM: quic: Possible crashes when sending too short Initial packets

This may happen during handshakes when Handshake packets cannot be coalesced
to a first Initial packet because of TX frame allocation failures (from
qc_build_frms()). This leads too short (not padded) Initial packets to be sent.
This is detected by a BUG_ON() in qc_send_ppkts().

To avoid this an Handshake packet without ack-eliciting frames which should have
been built by qc_build_frms() is built.

Must be backported as far as 2.6.
---

diff --git a/src/quic_tx.c b/src/quic_tx.c
index 5d343600d5..0a0e4bc799 100644
--- a/src/quic_tx.c
+++ b/src/quic_tx.c
@@ -2283,11 +2283,17 @@ static int qc_do_build_pkt(unsigned char *pos, const unsigned char *end,
 		                   end - pos, &len_frms, pos - beg, qel, qc)) {
 			TRACE_PROTO("Not enough room", QUIC_EV_CONN_TXPKT,
 			            qc, NULL, NULL, &room);
+			if (padding) {
+				len_frms = 0;
+				goto comp_pkt_len;
+			}
+
 			if (!ack_frm_len && !qel->pktns->tx.pto_probe)
 				goto no_room;
 		}
 	}
 
+ comp_pkt_len:
 	/* Length (of the remaining data). Must not fail because, the buffer size
 	 * has been checked above. Note that we have reserved QUIC_TLS_TAG_LEN bytes
 	 * for the encryption tag. It must be taken into an account for the length