]> git.ipfire.org Git - thirdparty/haproxy.git/commit
projects / thirdparty / haproxy.git / commit
? search:
summary | shortlog | log | commit | commitdiff | tree
(parent: d80f014) | patch
BUG/MAJOR: quic: reject invalid token
authorAmaury Denoyelle <adenoyelle@haproxy.com>
Mon, 9 Feb 2026 08:04:13 +0000 (09:04 +0100)
committerAmaury Denoyelle <adenoyelle@haproxy.com>
Thu, 12 Feb 2026 08:09:44 +0000 (09:09 +0100)
commit4aa974f949d223bed1562a528f025f87aeb05b5c
treedbc720cee460d55ed318a96b1e168fde6e52a558tree
parentd80f0143c9b6a0b83b05abf79449240591dccd2ecommit | diff
BUG/MAJOR: quic: reject invalid token

Token parsing code on INITIAL packet for the NEW_TOKEN format is not
robust enough and may even crash on some rare malformed packets.

This patch fixes this by adding a check on the expected length of the
received token. The packet is now rejected if the token does not match
QUIC_TOKEN_LEN. This check is legitimate as haproxy should only parse
tokens emitted by itself.

This issue has been introduced with the implementation of NEW_TOKEN
tokens parsing required for 0-RTT support.

This issue is assigned to CVE-2026-26081 report.

This must be backported up to 3.0.

Reported-by: Asim Viladi Oglu Manizada <manizada@pm.me>
src/quic_token.c diff | blob | blame | history
Mirror of https://github.com/haproxy/haproxy.git