From 160507d0ba8d75392f631dc0ef0eecdf40c26719 Mon Sep 17 00:00:00 2001
From: Amaury Denoyelle <adenoyelle@haproxy.com>
Date: Tue, 24 May 2022 16:30:11 +0200
Subject: [PATCH] BUG/MINOR: h3: prevent overflow when parsing SETTINGS

h3_parse_settings_frm() read one byte after the frame payload. Fix the
parsing code. In most cases, this has no impact as we are inside an
allocated buffer but it could cause a segfault depending on the buffer
alignment.
---
 src/h3.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/src/h3.c b/src/h3.c
index 75ab2b8487..429325863b 100644
--- a/src/h3.c
+++ b/src/h3.c
@@ -352,7 +352,7 @@ static int h3_parse_settings_frm(struct h3c *h3c, const struct ncbuf *rxbuf, siz
 	buf = (const unsigned char *)ncb_head(rxbuf);
 	end = buf + flen;
 
-	while (buf <= end) {
+	while (buf < end) {
 		if (!quic_dec_int(&id, &buf, end) || !quic_dec_int(&value, &buf, end))
 			return 0;
 
-- 
2.47.3