vquic: fix recvmsg loop for max_pkts

The parameter `max_pkts` was not checked in the recvmsg() implementation
of vquic_recv_packets() as the packter counter was never increased. This
led to the loop running until an EAGAIN was encountered. Which, in any
real case scenario, does no harm as long as libcurl is ingesting packets
faster than a server is able to send them.

However on a slow device and a fast network this could happen and allow
a denial of serice.

Not a real regression as the vulnerable code has never been released.
libcurl 8.16.0 does not have this bug.

Closes #19186

diff --git a/lib/vquic/vquic.c b/lib/vquic/vquic.c
index 24ba8a97e4901db46b55671512b13505d52b65f9..7533001eaf2e34e1bdf03c36119d1eea798a8806 100644 (file)
--- a/lib/vquic/vquic.c
+++ b/lib/vquic/vquic.c
@@ -539,6 +539,7 @@ static CURLcode recvmsg_packets(struct Curl_cfilter *cf,
                      msg.msg_name, msg.msg_namelen, 0, userp);
     if(result)
       goto out;
+    pkts += (nread + gso_size - 1) / gso_size;
   }
 
 out: