BUG/MEDIUM: quic: Wrong use of <token_odcid> in qc_lsntr_pkt_rcv()
This commit was not complete:
"BUG/MEDIUM: quic: Possible use of uninitialized <odcid>
variable in qc_lstnr_params_init()"
<token_odcid> should have been directly passed to qc_lstnr_params_init()
without dereferencing it to prevent haproxy to have new chances to crash!
Must be backported to 2.6.
diff --git a/src/quic_tp.c b/src/quic_tp.c
index 449f94e..ca77289 100644
--- a/src/quic_tp.c
+++ b/src/quic_tp.c
@@ -643,7 +643,7 @@
const unsigned char *stateless_reset_token,
const unsigned char *dcid, size_t dcidlen,
const unsigned char *scid, size_t scidlen,
- const unsigned char *token_odcid, size_t token_odcidlen)
+ const struct quic_cid *token_odcid)
{
struct quic_transport_params *rx_params = &qc->rx.params;
struct tp_cid *odcid_param = &rx_params->original_destination_connection_id;
@@ -655,8 +655,8 @@
sizeof rx_params->stateless_reset_token);
/* Copy original_destination_connection_id transport parameter. */
if (token_odcid) {
- memcpy(odcid_param->data, token_odcid, token_odcidlen);
- odcid_param->len = token_odcidlen;
+ memcpy(odcid_param->data, token_odcid->data, token_odcid->len);
+ odcid_param->len = token_odcid->len;
/* Copy retry_source_connection_id transport parameter. */
memcpy(rx_params->retry_source_connection_id.data, dcid, dcidlen);
rx_params->retry_source_connection_id.len = dcidlen;