From: Eugene Syromiatnikov <esyr@openssl.org>
Date: Wed, 18 Mar 2026 09:13:26 +0000 (+0100)
Subject: quic_channel.c: avoid clipping in ack_delay_exponent/disable_active_migration setters
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=854ea3aa93a29e672d0a8f46e415002f3a75fe4b;p=thirdparty%2Fopenssl.git

quic_channel.c: avoid clipping in ack_delay_exponent/disable_active_migration setters

Avoid clipping of the provided values in setters due to type casting
by checking the values agains the type-specific maximum beforehand.

Fixes: 35dc6c353bfe "QUIC: Make more transport parameters configurable"
Signed-off-by: Eugene Syromiatnikov <esyr@openssl.org>

Reviewed-by: Nikola Pajkovsky <nikolap@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.foundation>
MergeDate: Wed Apr  8 10:05:27 2026
(Merged from https://github.com/openssl/openssl/pull/30485)
---

diff --git a/ssl/quic/quic_channel.c b/ssl/quic/quic_channel.c
index a980f87d008..ab33e66efd4 100644
--- a/ssl/quic/quic_channel.c
+++ b/ssl/quic/quic_channel.c
@@ -4239,6 +4239,14 @@ int ossl_quic_channel_set_ack_delay_exponent_request(QUIC_CHANNEL *ch, uint64_t
     if (ossl_quic_channel_have_generated_transport_params(ch))
         return 0;
 
+    /*
+     * ossl_quic_tx_packetiser_args_st::ack_delay_exponent is uint32_t,
+     * but quic_channel_st::tx_ack_delay_exp is unsigned char, checking
+     * against the smaller type.
+     */
+    if (exp > UCHAR_MAX)
+        return 0;
+
     if (!ossl_quic_tx_packetiser_set_ack_delay_exponent(ch->txp, (uint32_t)exp))
         return 0;
 
@@ -4282,6 +4290,9 @@ int ossl_quic_channel_set_disable_active_migration_request(QUIC_CHANNEL *ch, uin
     if (ossl_quic_channel_have_generated_transport_params(ch))
         return 0;
 
+    if (disable > UCHAR_MAX)
+        return 0;
+
     ch->tx_disable_active_migration = (unsigned char)disable;
     return 1;
 }