BUG/MINOR: xprt_qstrm: reduce max record length check

When trying to read QMux transport parameters frame, the record length
is checked to ensure it is not bigger than the buffer size. The
objective is to detect as soon as possible when receiving data that
cannot be handled and to close the connection.

In fact, this check is not accurate, as it did not take into account the
size of the Record length field itself. This patch fixes the comparison
by substracting with the size of the decoded varint.

No need to backport.

diff --git a/src/xprt_qstrm.c b/src/xprt_qstrm.c
index 218be34d6013ac2a31bfb811e5fee8db9cc9ff25..c2b330fdaa3b598cae5a775afa820b2ba30397b5 100644 (file)
--- a/src/xprt_qstrm.c
+++ b/src/xprt_qstrm.c
@@ -59,7 +59,7 @@ int conn_recv_qstrm(struct connection *conn, struct xprt_qstrm_ctx *ctx, int fla
        struct buffer *buf = &ctx->rxbuf;
        const unsigned char *pos, *old, *end;
        uint64_t rlen;
-       size_t ret;
+       size_t ret, rlen_sz = 0;
 
        if (!conn_ctrl_ready(conn))
                goto fail;
@@ -83,11 +83,11 @@ int conn_recv_qstrm(struct connection *conn, struct xprt_qstrm_ctx *ctx, int fla
 
        /* Read record length. */
        if (!ctx->rxrlen) {
-               if (!b_quic_dec_int(&rlen, buf, NULL))
+               if (!b_quic_dec_int(&rlen, buf, &rlen_sz))
                        goto not_ready;
 
                /* Reject too small or too big records. */
-               if (!rlen || rlen > b_size(buf))
+               if (!rlen || rlen > b_size(buf) - rlen_sz)
                        goto fail;
 
                ctx->rxrlen = rlen;