From: Hugo Landau <hlandau@openssl.org>
Date: Tue, 6 Jun 2023 15:25:11 +0000 (+0100)
Subject: QUIC CONFORMANCE: RFC 9000 s. 19.14: STREAMS_BLOCKED Frames
X-Git-Tag: openssl-3.2.0-alpha1~438
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=f80e61b61f660e721d5cc7325a1a2bacbc7f34a6;p=thirdparty%2Fopenssl.git

QUIC CONFORMANCE: RFC 9000 s. 19.14: STREAMS_BLOCKED Frames

Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/21135)
---

diff --git a/ssl/quic/quic_rx_depack.c b/ssl/quic/quic_rx_depack.c
index be4772e2f37..2506c8398cf 100644
--- a/ssl/quic/quic_rx_depack.c
+++ b/ssl/quic/quic_rx_depack.c
@@ -835,6 +835,20 @@ static int depack_do_frame_streams_blocked(PACKET *pkt,
     /* This frame makes the packet ACK eliciting */
     ackm_data->is_ack_eliciting = 1;
 
+    if (max_data > (((uint64_t)1) << 60)) {
+        /*
+         * RFC 9000 s. 19.14: "This value cannot exceed 2**60, as it is not
+         * possible to encode stream IDs larger than 2**62 - 1. Receipt of a
+         * frame that encodes a larger stream ID MUST be treated as a connection
+         * error of type STREAM_LIMIT_ERROR or FRAME_ENCODING_ERROR."
+         */
+        ossl_quic_channel_raise_protocol_error(ch,
+                                               QUIC_ERR_STREAM_LIMIT_ERROR,
+                                               frame_type,
+                                               "invalid stream count limit");
+        return 0;
+    }
+
     /* No-op - informative/debugging frame. */
     return 1;
 }