From: Frédéric Lécaille <flecaille@haproxy.com>
Date: Wed, 23 Mar 2022 13:09:09 +0000 (+0100)
Subject: BUG/MINOR: quic: Wrong buffer length passed to generate_retry_token()
X-Git-Tag: v2.6-dev4~14
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=cc2764e7fe725f35845e978ace5f7fadef1c695d;p=thirdparty%2Fhaproxy.git

BUG/MINOR: quic: Wrong buffer length passed to generate_retry_token()

After having consumed <i> bytes from <buf>, the remaining available room to be
passed to generate_retry_token() is sizeof(buf) - i.
This bug could be easily reproduced with quic-qo as client which chooses a random
value as ODCID length.
---

diff --git a/src/xprt_quic.c b/src/xprt_quic.c
index 9a1e9eb5cd..d0beb500f0 100644
--- a/src/xprt_quic.c
+++ b/src/xprt_quic.c
@@ -4249,8 +4249,9 @@ static int send_retry(int fd, struct sockaddr_storage *addr,
 	i += scid.len;
 
 	/* token */
-	if (!(token_len = generate_retry_token(&buf[i], &buf[i] - buf, pkt)))
+	if (!(token_len = generate_retry_token(&buf[i], sizeof(buf) - i, pkt)))
 		return 1;
+
 	i += token_len;
 
 	/* token integrity tag */