BUG/MEDIUM: qmux: do not crash on too large record

Remove BUG_ON() when reading a QMux record larger than the buffer. It is
now replaced by a safer error handling. In the future, a proper
CONNECTION_CLOSE emission should be implemented for this case.

No need to backport.

diff --git a/src/qcm_qmux.c b/src/qcm_qmux.c
index da55f1767b8479b75c0312674ec3448db757947c..aa2cb6a91b06920bb4694249d30e416a780c65eb 100644 (file)
--- a/src/qcm_qmux.c
+++ b/src/qcm_qmux.c
@@ -145,7 +145,8 @@ int qcc_qmux_recv(struct qcc *qcc)
                 */
                if (b_head(buf) + qcc->rx.rlen > b_wrap(buf) ||
                    (!dec && b_head(buf) + b_data(buf) == b_wrap(buf))) {
-                       BUG_ON(qcc->rx.rlen > b_size(buf)); /* TODO max_record_size */
+                       /* A too large record should have been rejected earlier. */
+                       BUG_ON(qcc->rx.rlen > b_size(buf));
                        memmove(b_orig(buf), b_head(buf), b_data(buf));
                        buf->head = 0;
                }
@@ -171,6 +172,12 @@ int qcc_qmux_recv(struct qcc *qcc)
 
                if (b_data(buf) && !qcc->rx.rlen) {
                        dec = b_quic_dec_int(&qcc->rx.rlen, buf, NULL);
+                       if (qcc->rx.rlen > b_size(buf)) {
+                               /* TODO report FRAME_ENCODING_ERROR on max_record_size violation */
+                               qcc->conn->flags |= CO_FL_ERROR;
+                               goto out;
+                       }
+
                        /* Restart read if an incomplete record has been received
                         * until there is no more new data available.
                         */