From: Emeric Brun <ebrun@haproxy.com>
Date: Tue, 27 Jun 2023 13:24:05 +0000 (+0200)
Subject: BUG/MEDIUM: quic: error checking buffer large enought to receive the retry tag
X-Git-Tag: v2.9-dev1~28
X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=f473eb72066e02d44837fd77110b6ca5bdea97e2;p=thirdparty%2Fhaproxy.git

BUG/MEDIUM: quic: error checking buffer large enought to receive the retry tag

Building a retry message, the offset of the tag was checked instead of the
remaining length into the buffer.

Must be backported as far as 2.6.
---

diff --git a/src/quic_conn.c b/src/quic_conn.c
index ed15f53ed5..caf04a2446 100644
--- a/src/quic_conn.c
+++ b/src/quic_conn.c
@@ -6677,7 +6677,7 @@ static int send_retry(int fd, struct sockaddr_storage *addr,
 	i += token_len;
 
 	/* token integrity tag */
-	if ((&buf[i] - buf < QUIC_TLS_TAG_LEN) ||
+	if ((sizeof(buf) - i < QUIC_TLS_TAG_LEN) ||
 	    !quic_tls_generate_retry_integrity_tag(pkt->dcid.data,
 	                                           pkt->dcid.len, buf, i, qv)) {
 		TRACE_ERROR("quic_tls_generate_retry_integrity_tag() failed", QUIC_EV_CONN_TXPKT);