From: Frederic Lecaille <flecaille@haproxy.com>
Date: Wed, 4 Mar 2026 16:30:08 +0000 (+0100)
Subject: BUG/MINOR: quic: fix OOB read in preferred_address transport parameter
X-Git-Tag: v3.4-dev6~28
X-Git-Url: http://git.ipfire.org/gitweb.cgi?a=commitdiff_plain;h=cdcdc016cc19783610d953e04288d2a50689b43d;p=thirdparty%2Fhaproxy.git

BUG/MINOR: quic: fix OOB read in preferred_address transport parameter

This bug impacts only the QUIC backend. A QUIC server does receive
a server preferred address transport parameter.

In quic_transport_param_dec_pref_addr(), the boundary check for the
connection ID was inverted and incorrect. This could lead to an
out-of-bounds read during the following memcpy.

This patch fixes the comparison to ensure the buffer has enough input data
for both the CID and the mandatory Stateless Reset Token.

Thank you to Kamil Frankowicz for having reported this.

Must be backported to 3.3.
---

diff --git a/src/quic_tp.c b/src/quic_tp.c
index 2c50b1281..309411af0 100644
--- a/src/quic_tp.c
+++ b/src/quic_tp.c
@@ -168,7 +168,7 @@ static int quic_transport_param_dec_pref_addr(struct tp_preferred_address *addr,
 
 	addr->cid.len = *(*buf)++;
 	if (addr->cid.len) {
-		if (end - sizeof(addr->stateless_reset_token) - *buf > addr->cid.len ||
+		if (end - *buf < addr->cid.len + sizeof(addr->stateless_reset_token) ||
 		    addr->cid.len > sizeof(addr->cid.data)) {
 			return 0;
 		}