BUG/MAJOR: mux_quic: fix invalid PROTOCOL_VIOLATION on POST data overlap
Stream data reception is incorrect when dealing with a partially new
offset with some data already consumed out of the RX buffer. In this
case, data length is adjusted but not the data buffer. In most cases,
ncb_add() operation will be rejected as already stored data does not
correspond with the new inserted offset. This will result in an invalid
CONNECTION_CLOSE with PROTOCOL_VIOLATION.
To fix this, buffer pointer is advanced while the length is reduced.
This can be reproduced with a POST request and patching haproxy to call
qcc_recv() multiple times by copying a quic_stream frame with different
offsets.
Must be backported to 2.6.
diff --git a/src/mux_quic.c b/src/mux_quic.c
index ff0b8ea..055c82d 100644
--- a/src/mux_quic.c
+++ b/src/mux_quic.c
@@ -789,7 +789,10 @@
TRACE_DEVEL("newly received offset", QMUX_EV_QCC_RECV|QMUX_EV_QCS_RECV, qcc->conn, qcs);
if (offset < qcs->rx.offset) {
- len -= qcs->rx.offset - offset;
+ size_t diff = qcs->rx.offset - offset;
+
+ len -= diff;
+ data += diff;
offset = qcs->rx.offset;
}