BUG/MINOR: quic: reject packet too short for HP decryption

Header protection can only be performed on a packet of a minimal size.
There was already a check for this in qc_do_rm_hp() but it did not use
the correct value.

Fix this by using the correct minimal size which is 20 bytes starting
from the packet number offset. This is enough to decrypt 4 bytes (PN max
size) and 16 bytes of IV. If the packet is not big enough, it is
still silently discarded.

This must be backported up to 2.6.

diff --git a/src/quic_rx.c b/src/quic_rx.c
index 45c33c4426408ade19f6ea3fca8a90e02b134260..121780108b76fc20c9fb6ff5877aa616ccfd7a7c 100644 (file)
--- a/src/quic_rx.c
+++ b/src/quic_rx.c
@@ -88,7 +88,7 @@ static int qc_do_rm_hp(struct quic_conn *qc,
        ret = 0;
 
        /* Check there is enough data in this packet. */
-       if (pkt->len - (pn - byte0) < QUIC_PACKET_PN_MAXLEN + sizeof mask) {
+       if (pkt->len - pkt->pn_offset < QUIC_PACKET_PN_MAXLEN + QUIC_TLS_TAG_LEN) {
                TRACE_PROTO("too short packet", QUIC_EV_CONN_RMHP, qc, pkt);
                goto leave;
        }