BUG/MAJOR: qpack: unchecked length passed to huffman decoder

A call to huffman decoder function (huff_dec()) is made from qpack_decode_fs()
without checking the buffer length passed to this function, leading to OOB read
which can crash the process.

Thank you to Kamil Frankowicz for having reported this.

Must be backport as far as 2.6.

diff --git a/src/qpack-dec.c b/src/qpack-dec.c
index 5798b0865ae02441699ac74a2c9b49af38c7c667..130815d6a8a63ba883d27de7103f18805b8310cb 100644 (file)
--- a/src/qpack-dec.c
+++ b/src/qpack-dec.c
@@ -421,6 +421,12 @@ int qpack_decode_fs(const unsigned char *raw, uint64_t len, struct buffer *tmp,
                                goto out;
                        }
 
+                       if (len < length) {
+                               qpack_debug_printf(stderr, "##ERR@%d\n", __LINE__);
+                               ret = -QPACK_RET_TRUNCATED;
+                               goto out;
+                       }
+
                        qpack_debug_printf(stderr, " h=%d length=%llu", !!h, (unsigned long long)length);
                        if (h) {
                                char *trash;