From: Amaury Denoyelle <adenoyelle@haproxy.com>
Date: Tue, 6 May 2025 16:01:09 +0000 (+0200)
Subject: BUG/MINOR: quic: fix TP reject on invalid max-ack-delay
X-Git-Tag: v3.2-dev15~10
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=ffabfb0fc3ad8774024d152fc31a7711a8a9c382;p=thirdparty%2Fhaproxy.git

BUG/MINOR: quic: fix TP reject on invalid max-ack-delay

Checks are implemented on some received transport parameter values,
to reject invalid ones defined per RFC 9000. This is the case for
max_ack_delay parameter.

The check was not properly implemented as it only reject values strictly
greater than the limit set to 2^14. Fix this by rejecting values of 2^14
and above. Also, the proper error code TRANSPORT_PARAMETER_ERROR is now
set.

This should be backported up to 2.6. Note that is relies on previous
patch "MINOR: quic: extend return value on TP parsing".
---

diff --git a/src/quic_tp.c b/src/quic_tp.c
index b8a8f626a..17b41da30 100644
--- a/src/quic_tp.c
+++ b/src/quic_tp.c
@@ -349,9 +349,17 @@ quic_transport_param_decode(struct quic_transport_params *p, int server,
 
 		break;
 	case QUIC_TP_MAX_ACK_DELAY:
-		if (!quic_dec_int(&p->max_ack_delay, buf, end) ||
-			p->max_ack_delay > QUIC_TP_MAX_ACK_DELAY_LIMIT)
+		if (!quic_dec_int(&p->max_ack_delay, buf, end))
 			return QUIC_TP_DEC_ERR_TRUNC;
+
+		/* RFC 9000 18.2. Transport Parameter Definitions
+		 *
+		 * max_ack_delay (0x0b): [...]
+		 * Values of 2^14 or greater are invalid.
+		 */
+		if (p->max_ack_delay >= QUIC_TP_MAX_ACK_DELAY_LIMIT)
+			return QUIC_TP_DEC_ERR_INVAL;
+
 		break;
 	case QUIC_TP_DISABLE_ACTIVE_MIGRATION:
 		/* Zero-length parameter type. */