BUG/MINOR: quic: Unchecked buffer length when building the token

As server, an Initial does not contain a token but only the token length field
with zero as value. The remaining room was not checked before writting this field.

Must be backported to 2.6 and 2.7.

diff --git a/src/quic_conn.c b/src/quic_conn.c
index 86fcc1e0e4c408a0df8e23c7048750c07ebe4e97..10a2948a0e3f041a9225869a15a3398e98eea6fe 100644 (file)
--- a/src/quic_conn.c
+++ b/src/quic_conn.c
@@ -7771,8 +7771,13 @@ static int qc_do_build_pkt(unsigned char *pos, const unsigned char *end,
                goto no_room;
 
        /* Encode the token length (0) for an Initial packet. */
-       if (pkt->type == QUIC_PACKET_TYPE_INITIAL)
+       if (pkt->type == QUIC_PACKET_TYPE_INITIAL) {
+               if (end <= pos)
+                       goto no_room;
+
                *pos++ = 0;
+       }
+
        head_len = pos - beg;
        /* Build an ACK frame if required. */
        ack_frm_len = 0;