From: Amaury Denoyelle <adenoyelle@haproxy.com>
Date: Wed, 27 May 2026 13:30:04 +0000 (+0200)
Subject: BUG/MEDIUM: qmux: do not crash on too large record
X-Git-Tag: v3.4.0~88
X-Git-Url: http://git.ipfire.org/gitweb/index.cgi?a=commitdiff_plain;h=8a8898aeddb7f7cf2c62461bfa04df05208481df;p=thirdparty%2Fhaproxy.git

BUG/MEDIUM: qmux: do not crash on too large record

Remove BUG_ON() when reading a QMux record larger than the buffer. It is
now replaced by a safer error handling. In the future, a proper
CONNECTION_CLOSE emission should be implemented for this case.

No need to backport.
---

diff --git a/src/qcm_qmux.c b/src/qcm_qmux.c
index da55f1767..aa2cb6a91 100644
--- a/src/qcm_qmux.c
+++ b/src/qcm_qmux.c
@@ -145,7 +145,8 @@ int qcc_qmux_recv(struct qcc *qcc)
 		 */
 		if (b_head(buf) + qcc->rx.rlen > b_wrap(buf) ||
 		    (!dec && b_head(buf) + b_data(buf) == b_wrap(buf))) {
-			BUG_ON(qcc->rx.rlen > b_size(buf)); /* TODO max_record_size */
+			/* A too large record should have been rejected earlier. */
+			BUG_ON(qcc->rx.rlen > b_size(buf));
 			memmove(b_orig(buf), b_head(buf), b_data(buf));
 			buf->head = 0;
 		}
@@ -171,6 +172,12 @@ int qcc_qmux_recv(struct qcc *qcc)
 
 		if (b_data(buf) && !qcc->rx.rlen) {
 			dec = b_quic_dec_int(&qcc->rx.rlen, buf, NULL);
+			if (qcc->rx.rlen > b_size(buf)) {
+				/* TODO report FRAME_ENCODING_ERROR on max_record_size violation */
+				qcc->conn->flags |= CO_FL_ERROR;
+				goto out;
+			}
+
 			/* Restart read if an incomplete record has been received
 			 * until there is no more new data available.
 			 */