From: Frédéric Lécaille <flecaille@haproxy.com>
Date: Thu, 17 Mar 2022 15:22:02 +0000 (+0100)
Subject: BUG/MINOR: quic: Possible crash in parse_retry_token()
X-Git-Tag: v2.6-dev4~38
X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=f1f812bfdb30371bd6ff7e1dc45f04719138113f;p=thirdparty%2Fhaproxy.git

BUG/MINOR: quic: Possible crash in parse_retry_token()

We must check the decoded length of this incoming data before copying into our
internal structure. This could lead to crashes.
Reproduced with such a packet captured from QUIC interop.
    {
	    0xc5, 0x00, 0x00, 0x00, 0x01, 0x12, 0xf2, 0x65,
		0x4d, 0x9d, 0x58, 0x90, 0x23, 0x7e, 0x67, 0xef,
		0xf8, 0xef, 0x5b, 0x87, 0x48, 0xbe, 0xde, 0x7a, /* corrupted byte: 0x11, */
		0x01, 0xdc, 0x41, 0xbf, 0xfb, 0x07, 0x39, 0x9f,
		0xfd, 0x96, 0x67, 0x5f, 0x58, 0x03, 0x57, 0x74,
		0xc7, 0x26, 0x00, 0x45, 0x25, 0xdc, 0x7f, 0xf1,
		0x22, 0x1d,
	}
---

diff --git a/src/xprt_quic.c b/src/xprt_quic.c
index 364b611d0c..6e2cc637bd 100644
--- a/src/xprt_quic.c
+++ b/src/xprt_quic.c
@@ -4272,6 +4272,9 @@ static int parse_retry_token(const unsigned char *token, uint64_t token_len,
 	if (!quic_dec_int(&odcid_len, &token, token + token_len))
 		return 1;
 
+	if (odcid_len > QUIC_CID_MAXLEN)
+		return 1;
+
 	memcpy(odcid->data, token, odcid_len);
 	odcid->len = odcid_len;