From 4aa974f949d223bed1562a528f025f87aeb05b5c Mon Sep 17 00:00:00 2001 From: Amaury Denoyelle Date: Mon, 9 Feb 2026 09:04:13 +0100 Subject: [PATCH] BUG/MAJOR: quic: reject invalid token Token parsing code on INITIAL packet for the NEW_TOKEN format is not robust enough and may even crash on some rare malformed packets. This patch fixes this by adding a check on the expected length of the received token. The packet is now rejected if the token does not match QUIC_TOKEN_LEN. This check is legitimate as haproxy should only parse tokens emitted by itself. This issue has been introduced with the implementation of NEW_TOKEN tokens parsing required for 0-RTT support. This issue is assigned to CVE-2026-26081 report. This must be backported up to 3.0. Reported-by: Asim Viladi Oglu Manizada --- src/quic_token.c | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/src/quic_token.c b/src/quic_token.c index 4f33447dc5..9c1d69cd1f 100644 --- a/src/quic_token.c +++ b/src/quic_token.c @@ -129,6 +129,11 @@ int quic_token_check(struct quic_rx_packet *pkt, goto err; } + if (tokenlen != QUIC_TOKEN_LEN) { + TRACE_ERROR("invalid token length", QUIC_EV_CONN_LPKT, qc); + goto err; + } + /* Generate the AAD. */ aadlen = ipaddrcpy(aad, &dgram->saddr); rand = token + tokenlen - QUIC_TOKEN_RAND_DLEN; -- 2.47.3