BUG/MINOR: quic: fix OOB read in preferred_address transport parameter

This bug impacts only the QUIC backend. A QUIC server does receive
a server preferred address transport parameter.

In quic_transport_param_dec_pref_addr(), the boundary check for the
connection ID was inverted and incorrect. This could lead to an
out-of-bounds read during the following memcpy.

This patch fixes the comparison to ensure the buffer has enough input data
for both the CID and the mandatory Stateless Reset Token.

Thank you to Kamil Frankowicz for having reported this.

Must be backported to 3.3.

diff --git a/src/quic_tp.c b/src/quic_tp.c
index 2c50b12816ff5697e23b0c44b985e182a90c280c..309411af03e943a24a023c049eabb2dd3e197b72 100644 (file)
--- a/src/quic_tp.c
+++ b/src/quic_tp.c
@@ -168,7 +168,7 @@ static int quic_transport_param_dec_pref_addr(struct tp_preferred_address *addr,
 
        addr->cid.len = *(*buf)++;
        if (addr->cid.len) {
-               if (end - sizeof(addr->stateless_reset_token) - *buf > addr->cid.len ||
+               if (end - *buf < addr->cid.len + sizeof(addr->stateless_reset_token) ||
                    addr->cid.len > sizeof(addr->cid.data)) {
                        return 0;
                }