From: Amaury Denoyelle <adenoyelle@haproxy.com>
Date: Mon, 9 Feb 2026 08:09:33 +0000 (+0100)
Subject: BUG/MAJOR: quic: fix parsing frame type
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=8e16fd2cf14bbf0468de553744507ddd845e3434;p=thirdparty%2Fhaproxy.git

BUG/MAJOR: quic: fix parsing frame type

QUIC frame type is encoded as a varint. Initially, haproxy parsed it as
a single byte, which was enough to cover frames defined in RFC9000.

The code has been extended recently to support multi-bytes encoded
value, in anticipation of QUIC frames extension support. However, there
was no check on the varint format. This is interpreted erroneously as a
PADDING frame as this serves as the initial value. Thus the rest of the
packet is incorrectly handled, with various resulting effects, including
infinite loops and/or crashes.

This patch fixes this by checking the return value of quic_dec_int(). If
varint cannot be parsed, the connection is immediately closed.

This issue is assigned to CVE-2026-26080 report.

This must be backported up to 3.2.

Reported-by: Asim Viladi Oglu Manizada <manizada@pm.me>
---

diff --git a/src/quic_frame.c b/src/quic_frame.c
index 499f3f69e..963cf5728 100644
--- a/src/quic_frame.c
+++ b/src/quic_frame.c
@@ -1166,7 +1166,12 @@ int qc_parse_frm(struct quic_frame *frm, struct quic_rx_packet *pkt,
 		goto leave;
 	}
 
-	quic_dec_int(&frm->type, pos, end);
+	if (!quic_dec_int(&frm->type, pos, end)) {
+		TRACE_ERROR("malformed frame type", QUIC_EV_CONN_PRSFRM, qc);
+		quic_set_connection_close(qc, quic_err_transport(QC_ERR_FRAME_ENCODING_ERROR));
+		goto leave;
+	}
+
 	if (!quic_frame_type_is_known(frm->type)) {
 		/* RFC 9000 12.4. Frames and Frame Types
 		 *