From: Amaury Denoyelle Date: Mon, 20 Apr 2026 06:36:51 +0000 (+0200) Subject: BUG/MINOR: xprt_qstrm: read record length in 64bits X-Git-Url: http://git.ipfire.org/index.cgi?a=commitdiff_plain;h=0610b4487bcd4e321ca5f38a88de29b99a78100d;p=thirdparty%2Fhaproxy.git BUG/MINOR: xprt_qstrm: read record length in 64bits QMux record lengths are encoded as a QUIC varint. Thus in theory, it requires a 64bits integer to be able to read the whole value. In practice, if the record is bigger than bufsize, read operation cannot be completed and an error must be reported. This patch fixes record length decoding both in xprt_qstrm layer, which is now performed in two steps. The value is first read in a 64bits integer instead of a size_t whose size is dependent on the architecture. Result is then checked against bufsize and if inferior stored in the previously used variable (xprt ctx rxrlen member). This should partially fix build issue reported on github #3334. No need to backport. --- diff --git a/src/xprt_qstrm.c b/src/xprt_qstrm.c index 5d4ff94be..218be34d6 100644 --- a/src/xprt_qstrm.c +++ b/src/xprt_qstrm.c @@ -58,6 +58,7 @@ int conn_recv_qstrm(struct connection *conn, struct xprt_qstrm_ctx *ctx, int fla struct quic_frame frm; struct buffer *buf = &ctx->rxbuf; const unsigned char *pos, *old, *end; + uint64_t rlen; size_t ret; if (!conn_ctrl_ready(conn)) @@ -81,12 +82,17 @@ int conn_recv_qstrm(struct connection *conn, struct xprt_qstrm_ctx *ctx, int fla goto not_ready; /* Read record length. */ - if (!ctx->rxrlen && !b_quic_dec_int(&ctx->rxrlen, buf, NULL)) - goto not_ready; + if (!ctx->rxrlen) { + if (!b_quic_dec_int(&rlen, buf, NULL)) + goto not_ready; + + /* Reject too small or too big records. */ + if (!rlen || rlen > b_size(buf)) + goto fail; + + ctx->rxrlen = rlen; + } - /* Reject too small or too big records. */ - if (!ctx->rxrlen || ctx->rxrlen > b_size(buf)) - goto fail; if (ctx->rxrlen > b_data(buf)) goto not_ready;