From: Frédéric Lécaille <flecaille@haproxy.com>
Date: Wed, 2 Feb 2022 08:44:22 +0000 (+0100)
Subject: MINOR: quic: Wrong datagram buffer passed to quic_lstnr_dgram_dispatch()
X-Git-Tag: v2.6-dev2~200
X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=f6f7520b9b994544a29ad0a35aa58319b26c3fec;p=thirdparty%2Fhaproxy.git

MINOR: quic: Wrong datagram buffer passed to quic_lstnr_dgram_dispatch()

The same datagram could be passed to quic_lstnr_dgram_dispatch() before
being consumed by qc_lstnr_pkt_rcv() leading to a wrong decryption for the packet
number decryption, then a decryption error for the data. This was due to
a wrong datagram buffer passed to quic_lstnr_dgram_dispatch(). The datagram data
which must be passed to quic_lstnr_dgram_dispatch() are the same as the one
passed to recvfrom().
---

diff --git a/src/quic_sock.c b/src/quic_sock.c
index 087a65dedb..9a1e5b0637 100644
--- a/src/quic_sock.c
+++ b/src/quic_sock.c
@@ -176,6 +176,7 @@ void quic_sock_fd_iocb(int fd)
 	size_t max_sz, cspace;
 	socklen_t saddrlen;
 	struct quic_dgram *dgram, *dgramp, *new_dgram;
+	unsigned char *dgram_buf;
 
 	BUG_ON(!l);
 
@@ -224,11 +225,13 @@ void quic_sock_fd_iocb(int fd)
 		b_add(buf, cspace);
 		if (b_contig_space(buf) < max_sz)
 			goto out;
+
 	}
 
+	dgram_buf = (unsigned char *)b_tail(buf);
 	saddrlen = sizeof saddr;
 	do {
-		ret = recvfrom(fd, b_tail(buf), max_sz, 0,
+		ret = recvfrom(fd, dgram_buf, max_sz, 0,
 		               (struct sockaddr *)&saddr, &saddrlen);
 		if (ret < 0) {
 			if (errno == EINTR)
@@ -240,8 +243,8 @@ void quic_sock_fd_iocb(int fd)
 	} while (0);
 
 	b_add(buf, ret);
-	if (!quic_lstnr_dgram_dispatch((unsigned char *)b_head(buf), ret,
-	                               l, &saddr, new_dgram, &rxbuf->dgrams)) {
+	if (!quic_lstnr_dgram_dispatch(dgram_buf, ret, l, &saddr,
+	                               new_dgram, &rxbuf->dgrams)) {
 		/* If wrong, consume this datagram */
 		b_del(buf, ret);
 	}