From: Frédéric Lécaille <flecaille@haproxy.com>
Date: Wed, 15 Dec 2021 13:16:16 +0000 (+0100)
Subject: MINOR: qpack: Missing check for truncated QPACK fields
X-Git-Tag: v2.6-dev1~270
X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=e629cfd96aa7316db30bbe1414a540efa612a854;p=thirdparty%2Fhaproxy.git

MINOR: qpack: Missing check for truncated QPACK fields

Decrementing <len> variable without checking could make haproxy crash (on abort)
when printing a huge buffer (with negative length).
---

diff --git a/src/qpack-dec.c b/src/qpack-dec.c
index c130a34701..6c55495b27 100644
--- a/src/qpack-dec.c
+++ b/src/qpack-dec.c
@@ -228,6 +228,13 @@ int qpack_decode_fs(const unsigned char *raw, size_t len, struct buffer *tmp,
 			}
 
 			qpack_debug_printf(stderr, " h=%d length=%llu", !!h, (unsigned long long)length);
+
+			if (len < length) {
+				qpack_debug_printf(stderr, "##ERR@%d\n", __LINE__);
+				ret = -QPACK_ERR_TRUNCATED;
+				goto out;
+			}
+
 			/* XXX Value string XXX */
 			raw += length;
 			len -= length;
@@ -319,6 +326,12 @@ int qpack_decode_fs(const unsigned char *raw, size_t len, struct buffer *tmp,
 				list[hdr_idx].v = ist2(raw, length);
 			}
 
+			if (len < length) {
+				qpack_debug_printf(stderr, "##ERR@%d\n", __LINE__);
+				ret = -QPACK_ERR_TRUNCATED;
+				goto out;
+			}
+
 			raw += length;
 			len -= length;
 			++hdr_idx;
@@ -340,6 +353,13 @@ int qpack_decode_fs(const unsigned char *raw, size_t len, struct buffer *tmp,
 
 			qpack_debug_printf(stderr, " n=%d hanme=%d name_len=%llu", !!n, !!hname, (unsigned long long)name_len);
 			/* Name string */
+
+			if (len < name_len) {
+				qpack_debug_printf(stderr, "##ERR@%d\n", __LINE__);
+				ret = -QPACK_ERR_TRUNCATED;
+				goto out;
+			}
+
 			raw += name_len;
 			len -= name_len;
 			hvalue = *raw & 0x80;
@@ -352,6 +372,12 @@ int qpack_decode_fs(const unsigned char *raw, size_t len, struct buffer *tmp,
 
 			qpack_debug_printf(stderr, " hvalue=%d value_len=%llu", !!hvalue, (unsigned long long)value_len);
 
+			if (len < value_len) {
+				qpack_debug_printf(stderr, "##ERR@%d\n", __LINE__);
+				ret = -QPACK_ERR_TRUNCATED;
+				goto out;
+			}
+
 			/* XXX Value string XXX */
 			raw += value_len;
 			len -= value_len;