commit 87373e72695c3c48e75e8fc286ab98409b4b462b
author Frédéric Lécaille <flecaille@haproxy.com> Wed Apr 27 11:42:08 2022 +0200
committer Amaury Denoyelle <adenoyelle@haproxy.com> Thu Apr 28 16:22:40 2022 +0200
tree 0ddf86afdc0a3c2930d2f59c4795802631276f6e
parent 77cb38d22d4f1f6b0edae2417a65c2316906796f

BUG/MINOR: quic: Missing Initial packet length check

Any client Initial packet carried in a datagram smaller than QUIC_INITIAL_PACKET_MINLEN(200)
bytes must be discarded. This does not mean we must discard the entire datagram.
So we must at least try to parse the packet length before dropping the packet
and return its length from qc_lstnr_pkt_rcv().

src/xprt_quic.c

diff --git a/src/xprt_quic.c b/src/xprt_quic.c
index 0065e7f..2ffad64 100644
--- a/src/xprt_quic.c
+++ b/src/xprt_quic.c
@@ -5025,12 +5025,19 @@
 	qc_parse_hd_form(pkt, *buf++, &long_header);
 	if (long_header) {
 		uint64_t len;
+		int drop_no_con = 0;
 
 		if (!quic_packet_read_long_header(&buf, end, pkt)) {
 			TRACE_PROTO("Packet dropped", QUIC_EV_CONN_LPKT);
 			goto err;
 		}
 
+		if (pkt->type == QUIC_PACKET_TYPE_INITIAL &&
+		    dgram->len < QUIC_INITIAL_PACKET_MINLEN) {
+			TRACE_PROTO("Too short datagram with an Initial packet", QUIC_EV_CONN_LPKT, qc);
+			drop_no_con = 1;
+		}
+
 		/* When multiple QUIC packets are coalesced on the same UDP datagram,
 		 * they must have the same DCID.
 		 */
@@ -5108,6 +5115,8 @@
 
 		payload = buf;
 		pkt->len = len + payload - beg;
+		if (drop_no_con)
+			goto drop_no_con;
 
 		qc = retrieve_qc_conn_from_cid(pkt, l, &dgram->saddr);
 		if (!qc) {
@@ -5322,6 +5331,7 @@
 	if (conn_ctx)
 		tasklet_wakeup(conn_ctx->wait_event.tasklet);
 
+ drop_no_con:
 	TRACE_LEAVE(QUIC_EV_CONN_LPKT, qc ? qc : NULL, pkt);
 
 	return pkt->len;