From: Amaury Denoyelle Date: Mon, 20 Apr 2026 07:21:08 +0000 (+0200) Subject: BUG/MINOR: xprt_qstrm: reduce max record length check X-Git-Url: http://git.ipfire.org/gitweb/?a=commitdiff_plain;h=1f435f031b80d04e82f70a8fdf814decf77a9f7e;p=thirdparty%2Fhaproxy.git BUG/MINOR: xprt_qstrm: reduce max record length check When trying to read QMux transport parameters frame, the record length is checked to ensure it is not bigger than the buffer size. The objective is to detect as soon as possible when receiving data that cannot be handled and to close the connection. In fact, this check is not accurate, as it did not take into account the size of the Record length field itself. This patch fixes the comparison by substracting with the size of the decoded varint. No need to backport. --- diff --git a/src/xprt_qstrm.c b/src/xprt_qstrm.c index 218be34d6..c2b330fda 100644 --- a/src/xprt_qstrm.c +++ b/src/xprt_qstrm.c @@ -59,7 +59,7 @@ int conn_recv_qstrm(struct connection *conn, struct xprt_qstrm_ctx *ctx, int fla struct buffer *buf = &ctx->rxbuf; const unsigned char *pos, *old, *end; uint64_t rlen; - size_t ret; + size_t ret, rlen_sz = 0; if (!conn_ctrl_ready(conn)) goto fail; @@ -83,11 +83,11 @@ int conn_recv_qstrm(struct connection *conn, struct xprt_qstrm_ctx *ctx, int fla /* Read record length. */ if (!ctx->rxrlen) { - if (!b_quic_dec_int(&rlen, buf, NULL)) + if (!b_quic_dec_int(&rlen, buf, &rlen_sz)) goto not_ready; /* Reject too small or too big records. */ - if (!rlen || rlen > b_size(buf)) + if (!rlen || rlen > b_size(buf) - rlen_sz) goto fail; ctx->rxrlen = rlen;