From: Frederic Lecaille <flecaille@haproxy.com>
Date: Wed, 4 Mar 2026 13:02:28 +0000 (+0100)
Subject: BUG/MAJOR: qpack: unchecked length passed to huffman decoder
X-Git-Tag: v3.4-dev6~30
X-Git-Url: http://git.ipfire.org/gitweb.cgi?a=commitdiff_plain;h=e38b86e72c0a587b6311a56d45cd8c22286d2c8f;p=thirdparty%2Fhaproxy.git

BUG/MAJOR: qpack: unchecked length passed to huffman decoder

A call to huffman decoder function (huff_dec()) is made from qpack_decode_fs()
without checking the buffer length passed to this function, leading to OOB read
which can crash the process.

Thank you to Kamil Frankowicz for having reported this.

Must be backport as far as 2.6.
---

diff --git a/src/qpack-dec.c b/src/qpack-dec.c
index 5798b0865..130815d6a 100644
--- a/src/qpack-dec.c
+++ b/src/qpack-dec.c
@@ -421,6 +421,12 @@ int qpack_decode_fs(const unsigned char *raw, uint64_t len, struct buffer *tmp,
 				goto out;
 			}
 
+			if (len < length) {
+				qpack_debug_printf(stderr, "##ERR@%d\n", __LINE__);
+				ret = -QPACK_RET_TRUNCATED;
+				goto out;
+			}
+
 			qpack_debug_printf(stderr, " h=%d length=%llu", !!h, (unsigned long long)length);
 			if (h) {
 				char *trash;