BUG/MAJOR: quic: reject invalid token

Token parsing code on INITIAL packet for the NEW_TOKEN format is not
robust enough and may even crash on some rare malformed packets.

This patch fixes this by adding a check on the expected length of the
received token. The packet is now rejected if the token does not match
QUIC_TOKEN_LEN. This check is legitimate as haproxy should only parse
tokens emitted by itself.

This issue has been introduced with the implementation of NEW_TOKEN
tokens parsing required for 0-RTT support.

This issue is assigned to CVE-2026-26081 report.

This must be backported up to 3.0.

Reported-by: Asim Viladi Oglu Manizada <manizada@pm.me>

diff --git a/src/quic_token.c b/src/quic_token.c
index 4f33447dc5cdf683bd2fce065103c27e3ea9ab46..9c1d69cd1fd33fe882182548219911d5dd30cd6b 100644 (file)
--- a/src/quic_token.c
+++ b/src/quic_token.c
@@ -129,6 +129,11 @@ int quic_token_check(struct quic_rx_packet *pkt,
                goto err;
        }
 
+       if (tokenlen != QUIC_TOKEN_LEN) {
+               TRACE_ERROR("invalid token length", QUIC_EV_CONN_LPKT, qc);
+               goto err;
+       }
+
        /* Generate the AAD. */
        aadlen = ipaddrcpy(aad, &dgram->saddr);
        rand = token + tokenlen - QUIC_TOKEN_RAND_DLEN;