From: Frédéric Lécaille <flecaille@haproxy.com>
Date: Wed, 2 Feb 2022 13:37:37 +0000 (+0100)
Subject: MINOR: quic: Potential overflow expression in qc_parse_frm()
X-Git-Tag: v2.6-dev2~166
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=ce2ecc96433272f41ad8b50d799e510d201c9fe8;p=thirdparty%2Fhaproxy.git

MINOR: quic: Potential overflow expression in qc_parse_frm()

This should fix Coverity CID 375056 where an unsigned char was used
to store a 32bit mask.
---

diff --git a/src/quic_frame.c b/src/quic_frame.c
index cd607ac3ae..721b5e02df 100644
--- a/src/quic_frame.c
+++ b/src/quic_frame.c
@@ -1000,8 +1000,8 @@ static int quic_parse_handshake_done_frame(struct quic_frame *frm, struct quic_c
 struct quic_frame_builder {
 	int (*func)(unsigned char **buf, const unsigned char *end,
                  struct quic_frame *frm, struct quic_conn *conn);
+	uint32_t mask;
 	unsigned char flags;
-	unsigned char mask;
 };
 
 const struct quic_frame_builder quic_frame_builders[] = {
@@ -1041,8 +1041,8 @@ const struct quic_frame_builder quic_frame_builders[] = {
 struct quic_frame_parser {
 	int (*func)(struct quic_frame *frm, struct quic_conn *qc,
                 const unsigned char **buf, const unsigned char *end);
+	uint32_t mask;
 	unsigned char flags;
-	unsigned char mask;
 };
 
 const struct quic_frame_parser quic_frame_parsers[] = {
@@ -1100,7 +1100,7 @@ int qc_parse_frm(struct quic_frame *frm, struct quic_rx_packet *pkt,
 	}
 
 	parser = &quic_frame_parsers[frm->type];
-	if (!(parser->mask & (1 << pkt->type))) {
+	if (!(parser->mask & (1U << pkt->type))) {
 		TRACE_DEVEL("unauthorized frame", QUIC_EV_CONN_PRSFRM, qc, frm);
 		return 0;
 	}
@@ -1126,10 +1126,10 @@ int qc_build_frm(unsigned char **buf, const unsigned char *end,
 	const struct quic_frame_builder *builder;
 
 	builder = &quic_frame_builders[frm->type];
-	if (!(builder->mask & (1 << pkt->type))) {
+	if (!(builder->mask & (1U << pkt->type))) {
 		/* XXX This it a bug to send an unauthorized frame with such a packet type XXX */
 		TRACE_DEVEL("frame skipped", QUIC_EV_CONN_BFRM, qc, frm);
-		BUG_ON(!(builder->mask & (1 << pkt->type)));
+		BUG_ON(!(builder->mask & (1U << pkt->type)));
 	}
 
 	if (end <= *buf) {