BUG/MINOR: quic: Unchecked buffer length when building the token As server, an Initial does not contain a token but only the token length field with zero as value. The remaining room was not checked before writting this field. Must be backported to 2.6 and 2.7.

commit: 45662efb2f329ca2211e6c83d84257662b15cea5 [log] [tgz]
author: Frédéric Lécaille <flecaille@haproxy.com> Tue Apr 18 14:42:40 2023 +0200
committer: Frédéric Lécaille <flecaille@haproxy.com> Wed Apr 19 11:36:54 2023 +0200
tree: 7499a2b544ef3c6701af2b06999f19047f417723
parent: 0ed94032b21c06cb3a11455b02ff72a98d4ff3e5 [diff]
diff --git a/src/quic_conn.c b/src/quic_conn.c
index 86fcc1e..10a2948 100644
--- a/src/quic_conn.c
+++ b/src/quic_conn.c

@@ -7771,8 +7771,13 @@
 		goto no_room;
 
 	/* Encode the token length (0) for an Initial packet. */
-	if (pkt->type == QUIC_PACKET_TYPE_INITIAL)
+	if (pkt->type == QUIC_PACKET_TYPE_INITIAL) {
+		if (end <= pos)
+			goto no_room;
+
 		*pos++ = 0;
+	}
+
 	head_len = pos - beg;
 	/* Build an ACK frame if required. */
 	ack_frm_len = 0;
commit	45662efb2f329ca2211e6c83d84257662b15cea5	[log] [tgz]
author	Frédéric Lécaille <flecaille@haproxy.com>	Tue Apr 18 14:42:40 2023 +0200
committer	Frédéric Lécaille <flecaille@haproxy.com>	Wed Apr 19 11:36:54 2023 +0200
tree	7499a2b544ef3c6701af2b06999f19047f417723
parent	0ed94032b21c06cb3a11455b02ff72a98d4ff3e5 [diff]