commit 129a351a3f566fb0d025dfa7fd74e21ea7ae6a91
author Frédéric Lécaille <flecaille@haproxy.com> Thu Dec 31 10:57:04 2020 +0100
committer Willy Tarreau <w@1wt.eu> Mon Jan 04 12:31:28 2021 +0100
tree e7b0db022d8f956734acc6e296d86ca4c30b2f38
parent 50044adc608798ad47a2d340d792aff887dedeab

BUG/MINOR: quic: Wrong STREAM frames parsing.

After having re-read the RFC, we noticed there are two bugs in the STREAM
frame parser. When the OFF bit (0x04) in the frame type is not set
we must set the offset to 0 (it was not set at all). When the LEN bit (0x02)
is not set we must extend the length of the data field to the end of the packet
(it was not set at all).

src/quic_frame.c

diff --git a/src/quic_frame.c b/src/quic_frame.c
index 89640f3..d80eb5a 100644
--- a/src/quic_frame.c
+++ b/src/quic_frame.c
@@ -396,10 +396,21 @@
 {
 	struct quic_stream *stream = &frm->stream;
 
-	if (!quic_dec_int(&stream->id, buf, end) ||
-	    ((frm->type & QUIC_STREAM_FRAME_OFF_BIT) && !quic_dec_int(&stream->offset, buf, end)) ||
-	    ((frm->type & QUIC_STREAM_FRAME_LEN_BIT) &&
-	     (!quic_dec_int(&stream->len, buf, end) || end - *buf < stream->len)))
+	if (!quic_dec_int(&stream->id, buf, end))
+		return 0;
+
+	/* Offset parsing */
+	if (!(frm->type & QUIC_STREAM_FRAME_OFF_BIT)) {
+		stream->offset = 0;
+	}
+	else if (!quic_dec_int(&stream->offset, buf, end))
+		return 0;
+
+	/* Length parsing */
+	if (!(frm->type & QUIC_STREAM_FRAME_LEN_BIT)) {
+		stream->len = end - *buf;
+	}
+	else if (!quic_dec_int(&stream->len, buf, end) || end - *buf < stream->len)
 		return 0;
 
 	stream->data = *buf;