From: Amaury Denoyelle <adenoyelle@haproxy.com>
Date: Mon, 9 Feb 2026 08:04:13 +0000 (+0100)
Subject: BUG/MAJOR: quic: reject invalid token
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=4aa974f949d223bed1562a528f025f87aeb05b5c;p=thirdparty%2Fhaproxy.git

BUG/MAJOR: quic: reject invalid token

Token parsing code on INITIAL packet for the NEW_TOKEN format is not
robust enough and may even crash on some rare malformed packets.

This patch fixes this by adding a check on the expected length of the
received token. The packet is now rejected if the token does not match
QUIC_TOKEN_LEN. This check is legitimate as haproxy should only parse
tokens emitted by itself.

This issue has been introduced with the implementation of NEW_TOKEN
tokens parsing required for 0-RTT support.

This issue is assigned to CVE-2026-26081 report.

This must be backported up to 3.0.

Reported-by: Asim Viladi Oglu Manizada <manizada@pm.me>
---

diff --git a/src/quic_token.c b/src/quic_token.c
index 4f33447dc..9c1d69cd1 100644
--- a/src/quic_token.c
+++ b/src/quic_token.c
@@ -129,6 +129,11 @@ int quic_token_check(struct quic_rx_packet *pkt,
 		goto err;
 	}
 
+	if (tokenlen != QUIC_TOKEN_LEN) {
+		TRACE_ERROR("invalid token length", QUIC_EV_CONN_LPKT, qc);
+		goto err;
+	}
+
 	/* Generate the AAD. */
 	aadlen = ipaddrcpy(aad, &dgram->saddr);
 	rand = token + tokenlen - QUIC_TOKEN_RAND_DLEN;