From: Amaury Denoyelle <adenoyelle@haproxy.com>
Date: Tue, 6 May 2025 16:01:32 +0000 (+0200)
Subject: BUG/MINOR: quic: reject invalid max_udp_payload size
X-Git-Tag: v3.2-dev15~9
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=4bc7aa548adcd9ee424c65cd346e94f8749dce64;p=thirdparty%2Fhaproxy.git

BUG/MINOR: quic: reject invalid max_udp_payload size

Add a checks on received max_udp_payload transport parameters. As
defined per RFC 9000, values below 1200 are invalid, and thus the
connection must be closed with TRANSPORT_PARAMETER_ERROR code.

Prior to this patch, an invalid value was silently ignored.

This should be backported up to 2.6. Note that is relies on previous
patch "MINOR: quic: extend return value on TP parsing".
---

diff --git a/src/quic_tp.c b/src/quic_tp.c
index 17b41da30..6d6557e74 100644
--- a/src/quic_tp.c
+++ b/src/quic_tp.c
@@ -310,6 +310,16 @@ quic_transport_param_decode(struct quic_transport_params *p, int server,
 	case QUIC_TP_MAX_UDP_PAYLOAD_SIZE:
 		if (!quic_dec_int(&p->max_udp_payload_size, buf, end))
 			return QUIC_TP_DEC_ERR_TRUNC;
+
+		/* RFC 9000 18.2. Transport Parameter Definitions
+		 *
+		 * max_udp_payload_size (0x03): [...]
+		 * The default for this parameter is the maximum permitted UDP
+		 * payload of 65527. Values below 1200 are invalid.
+		 */
+		if (p->max_udp_payload_size < 1200)
+			return QUIC_TP_DEC_ERR_INVAL;
+
 		break;
 	case QUIC_TP_INITIAL_MAX_DATA:
 		if (!quic_dec_int(&p->initial_max_data, buf, end))