BUG/MAJOR: quic: fix parsing frame type

QUIC frame type is encoded as a varint. Initially, haproxy parsed it as
a single byte, which was enough to cover frames defined in RFC9000.

The code has been extended recently to support multi-bytes encoded
value, in anticipation of QUIC frames extension support. However, there
was no check on the varint format. This is interpreted erroneously as a
PADDING frame as this serves as the initial value. Thus the rest of the
packet is incorrectly handled, with various resulting effects, including
infinite loops and/or crashes.

This patch fixes this by checking the return value of quic_dec_int(). If
varint cannot be parsed, the connection is immediately closed.

This issue is assigned to CVE-2026-26080 report.

This must be backported up to 3.2.

Reported-by: Asim Viladi Oglu Manizada <manizada@pm.me>

diff --git a/src/quic_frame.c b/src/quic_frame.c
index 499f3f69e786bd711410d53e30e16cf8a3d788e1..963cf5728a72b0b94e60c6b4e14d6c369f75ac68 100644 (file)
--- a/src/quic_frame.c
+++ b/src/quic_frame.c
@@ -1166,7 +1166,12 @@ int qc_parse_frm(struct quic_frame *frm, struct quic_rx_packet *pkt,
                goto leave;
        }
 
-       quic_dec_int(&frm->type, pos, end);
+       if (!quic_dec_int(&frm->type, pos, end)) {
+               TRACE_ERROR("malformed frame type", QUIC_EV_CONN_PRSFRM, qc);
+               quic_set_connection_close(qc, quic_err_transport(QC_ERR_FRAME_ENCODING_ERROR));
+               goto leave;
+       }
+
        if (!quic_frame_type_is_known(frm->type)) {
                /* RFC 9000 12.4. Frames and Frame Types
                 *