]> git.ipfire.org Git - thirdparty/haproxy.git/commitdiff
projects / thirdparty / haproxy.git / commitdiff
? search:
summary | shortlog | log | commit | commitdiff | tree
raw | patch | inline | side by side (parent: 156a89a)
BUG/MINOR: h3: prevent hypothetical demux failure on int overflow
authorAmaury Denoyelle <adenoyelle@haproxy.com>
Thu, 26 Jan 2023 15:03:45 +0000 (16:03 +0100)
committerAmaury Denoyelle <adenoyelle@haproxy.com>
Mon, 20 Feb 2023 10:15:09 +0000 (11:15 +0100)
h3s stores the current demux frame type and length as a state info. It
should be big enough to store a QUIC variable-length integer which is
the maximum H3 frame type and size.

Without this patch, there is a risk of integer overflow if H3 frame size
is bigger than INT_MAX. This can typically causes demux state mismatch
and demux frame error. However, no occurence has been found yet of this
bug with the current implementation.

This should be backported up to 2.6.

src/h3.c patch | blob | blame | history

diff --git a/src/h3.c b/src/h3.c
index a214a226231c09fdb96a28091f63a2b6e8422176..1572ac1b6540ada4f53b820dff592d710add81b7 100644 (file)
--- a/src/h3.c
+++ b/src/h3.c
@@ -149,8 +149,8 @@ struct h3s {
 
        enum h3s_t type;
        enum h3s_st_req st_req; /* only used for request streams */
-       int demux_frame_len;
-       int demux_frame_type;
+       uint64_t demux_frame_len;
+       uint64_t demux_frame_type;
 
        unsigned long long body_len; /* known request body length from content-length header if present */
        unsigned long long data_len; /* total length of all parsed DATA */
@@ -1838,7 +1838,7 @@ static void h3_stats_inc_err_cnt(void *ctx, int err_code)
        h3_inc_err_cnt(h3c->prx_counters, err_code);
 }
 
-static inline const char *h3_ft_str(int type)
+static inline const char *h3_ft_str(uint64_t type)
 {
        switch (type) {
        case H3_FT_DATA:         return "DATA";
@@ -1875,8 +1875,8 @@ static void h3_trace(enum trace_level level, uint64_t mask,
                        chunk_appendf(&trace_buf, " qcs=%p(%llu)", qcs, (ull)qcs->id);
 
                if (h3s && h3s->demux_frame_type != H3_FT_UNINIT) {
-                       chunk_appendf(&trace_buf, " h3s.dem=%s/%d",
-                                     h3_ft_str(h3s->demux_frame_type), h3s->demux_frame_len);
+                       chunk_appendf(&trace_buf, " h3s.dem=%s/%llu",
+                                     h3_ft_str(h3s->demux_frame_type), (ull)h3s->demux_frame_len);
                }
        }
 }
Mirror of https://github.com/haproxy/haproxy.git