From: Frédéric Lécaille <flecaille@haproxy.com>
Date: Mon, 8 Aug 2022 16:41:16 +0000 (+0200)
Subject: BUG/MEDIUM: quic: Missing AEAD TAG check after removing header protection
X-Git-Tag: v2.7-dev4~78
X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=ffde3168fc7fd093d5e1d904dc9a18dcc53b21b8;p=thirdparty%2Fhaproxy.git

BUG/MEDIUM: quic: Missing AEAD TAG check after removing header protection

After removing the packet header protection, we can check the packet is long
enough to contain a 16 bytes length AEAD TAG (at this end of the packet).
This test was missing.

Must be backported to 2.6.
---

diff --git a/src/xprt_quic.c b/src/xprt_quic.c
index 3705608485..1589834f19 100644
--- a/src/xprt_quic.c
+++ b/src/xprt_quic.c
@@ -4628,6 +4628,11 @@ static inline int qc_try_rm_hp(struct quic_conn *qc,
 
 		/* The AAD includes the packet number field found at <pn>. */
 		pkt->aad_len = pn - beg + pkt->pnl;
+		if (pkt->len - pkt->aad_len < QUIC_TLS_TAG_LEN) {
+			TRACE_PROTO("Too short packet", QUIC_EV_CONN_TRMHP, qc);
+			goto err;
+		}
+
 		qpkt_trace = pkt;
 	}
 	else {