From: Amaury Denoyelle <adenoyelle@haproxy.com>
Date: Mon, 9 Oct 2023 08:42:35 +0000 (+0200)
Subject: BUG/MINOR: quic: reject packet with no frame
X-Git-Tag: v2.9-dev8~81
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=a4c59f5b9e30371e2f95ef7925033537db825e7c;p=thirdparty%2Fhaproxy.git

BUG/MINOR: quic: reject packet with no frame

RFC 9000 indicates that a QUIC packet with no frame must trigger a
connection closure with PROTOCOL_VIOLATION error code. Implement this
via an early return inside qc_parse_pkt_frms().

This should be backported up to 2.6.
---

diff --git a/src/quic_rx.c b/src/quic_rx.c
index 3489fef332..4685d63149 100644
--- a/src/quic_rx.c
+++ b/src/quic_rx.c
@@ -942,6 +942,20 @@ static int qc_parse_pkt_frms(struct quic_conn *qc, struct quic_rx_packet *pkt,
 	pos = pkt->data + pkt->aad_len;
 	end = pkt->data + pkt->len;
 
+	/* Packet with no frame. */
+	if (pos == end) {
+		/* RFC9000 12.4. Frames and Frame Types
+		 *
+		 * The payload of a packet that contains frames MUST contain at least
+		 * one frame, and MAY contain multiple frames and multiple frame types.
+		 * An endpoint MUST treat receipt of a packet containing no frames as a
+		 * connection error of type PROTOCOL_VIOLATION. Frames always fit within
+		 * a single QUIC packet and cannot span multiple packets.
+		 */
+		quic_set_connection_close(qc, quic_err_transport(QC_ERR_PROTOCOL_VIOLATION));
+		goto leave;
+	}
+
 	while (pos < end) {
 		if (!qc_parse_frm(&frm, pkt, &pos, end, qc)) {
 			// trace already emitted by function above