BUG/MINOR: quic: Wrong buffer length passed to generate_retry_token()

After having consumed <i> bytes from <buf>, the remaining available room to be
passed to generate_retry_token() is sizeof(buf) - i.
This bug could be easily reproduced with quic-qo as client which chooses a random
value as ODCID length.

diff --git a/src/xprt_quic.c b/src/xprt_quic.c
index 9a1e9eb5cdb0cfbfdb9b16eccbe284908e46b1a6..d0beb500f0163db42c81e8993b8442bae8646c54 100644 (file)
--- a/src/xprt_quic.c
+++ b/src/xprt_quic.c
@@ -4249,8 +4249,9 @@ static int send_retry(int fd, struct sockaddr_storage *addr,
        i += scid.len;
 
        /* token */
-       if (!(token_len = generate_retry_token(&buf[i], &buf[i] - buf, pkt)))
+       if (!(token_len = generate_retry_token(&buf[i], sizeof(buf) - i, pkt)))
                return 1;
+
        i += token_len;
 
        /* token integrity tag */