From: Amaury Denoyelle <adenoyelle@haproxy.com>
Date: Tue, 6 May 2025 16:00:43 +0000 (+0200)
Subject: BUG/MINOR: quic: use proper error code on invalid received TP value
X-Git-Tag: v3.2-dev15~11
X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=b60a17aad768369ab7e328949112b50cd78bc987;p=thirdparty%2Fhaproxy.git

BUG/MINOR: quic: use proper error code on invalid received TP value

As per RFC 9000, checks must be implemented to reject invalid values for
received transport parameters. Such values are dependent on the
parameter type.

Checks were already implemented for ack_delay_exponent and
active_connection_id_limit, accordingly with the QUIC specification.
However, the connection was closed with an incorrect error code. Fix
this to ensure that TRANSPORT_PARAMETER_ERROR code is used as expected.

This should be backported up to 2.6. Note that is relies on previous
patch "MINOR: quic: extend return value on TP parsing".
---

diff --git a/src/quic_tp.c b/src/quic_tp.c
index 0499cb274..b8a8f626a 100644
--- a/src/quic_tp.c
+++ b/src/quic_tp.c
@@ -336,9 +336,17 @@ quic_transport_param_decode(struct quic_transport_params *p, int server,
 			return QUIC_TP_DEC_ERR_TRUNC;
 		break;
 	case QUIC_TP_ACK_DELAY_EXPONENT:
-		if (!quic_dec_int(&p->ack_delay_exponent, buf, end) ||
-			p->ack_delay_exponent > QUIC_TP_ACK_DELAY_EXPONENT_LIMIT)
+		if (!quic_dec_int(&p->ack_delay_exponent, buf, end))
 			return QUIC_TP_DEC_ERR_TRUNC;
+
+		/* RFC 9000 18.2. Transport Parameter Definitions
+		 *
+		 * ack_delay_exponent (0x0a): [...]
+		 * Values above 20 are invalid.
+		 */
+		if (p->ack_delay_exponent > QUIC_TP_ACK_DELAY_EXPONENT_LIMIT)
+			return QUIC_TP_DEC_ERR_INVAL;
+
 		break;
 	case QUIC_TP_MAX_ACK_DELAY:
 		if (!quic_dec_int(&p->max_ack_delay, buf, end) ||
@@ -656,12 +664,16 @@ quic_transport_params_decode(struct quic_transport_params *p, int server,
 		return QUIC_TP_DEC_ERR_INVAL;
 	}
 
-	/* Note that if not received by the peer, active_connection_id_limit will
-	 * have QUIC_TP_DFLT_ACTIVE_CONNECTION_ID_LIMIT as default value. This
-	 * is also the minimum value for this transport parameter.
+	/* RFC 9000 18.2. Transport Parameter Definitions
+	 *
+	 * active_connection_id_limit (0x0e):
+	 * [...] The value of the
+	 * active_connection_id_limit parameter MUST be at least 2. An
+	 * endpoint that receives a value less than 2 MUST close the
+	 * connection with an error of type TRANSPORT_PARAMETER_ERROR.
 	 */
 	if (p->active_connection_id_limit < QUIC_TP_DFLT_ACTIVE_CONNECTION_ID_LIMIT)
-		return QUIC_TP_DEC_ERR_TRUNC;
+		return QUIC_TP_DEC_ERR_INVAL;
 
 	return QUIC_TP_DEC_ERR_NONE;
 }