BUG/MAJOR: qpack: fix possible read out of bounds in static table

CertiK Skyfall Team reported that passing an index greater than
QPACK_SHT_SIZE in a qpack instruction referencing a literal field
name with name reference or and indexed field line will cause a
read out of bounds that may crash the process, and confirmed that
this fix addresses the issue.

This needs to be backported as far as 2.5.

diff --git a/src/qpack-dec.c b/src/qpack-dec.c
index 2d811564538a03d6c3036befae0098d2da20b7d9..a6e292327a720bbd8b1e6fad2c030a54ebb1f78a 100644 (file)
--- a/src/qpack-dec.c
+++ b/src/qpack-dec.c
@@ -335,7 +335,7 @@ int qpack_decode_fs(const unsigned char *raw, uint64_t len, struct buffer *tmp,
                                goto out;
                        }
 
-                       if (static_tbl) {
+                       if (static_tbl && index < QPACK_SHT_SIZE) {
                                name = qpack_sht[index].n;
                                value = qpack_sht[index].v;
                        }
@@ -370,7 +370,7 @@ int qpack_decode_fs(const unsigned char *raw, uint64_t len, struct buffer *tmp,
                                goto out;
                        }
 
-                       if (static_tbl) {
+                       if (static_tbl && index < QPACK_SHT_SIZE) {
                                name = qpack_sht[index].n;
                        }
                        else {