BUG/MINOR: quic: Safer QUIC frame builders
Do not rely on the fact the callers of qc_build_frm() handle their
buffer passed to function the correct way (without leaving garbage).
Make qc_build_frm() update the buffer passed as argument only if
the frame it builds is well formed.
As far as I sse, there is no such callers which does not handle
carefully such buffers.
Must be backported to 2.6.
diff --git a/src/quic_frame.c b/src/quic_frame.c
index f590be2..58e9ebc 100644
--- a/src/quic_frame.c
+++ b/src/quic_frame.c
@@ -1122,6 +1122,8 @@
/* Encode <frm> QUIC frame into <buf> buffer.
* Returns 1 if succeeded (enough room in <buf> to encode the frame), 0 if not.
+ * The buffer is updated to point to one byte past the end of the built frame
+ * only if succeeded.
*/
int qc_build_frm(unsigned char **buf, const unsigned char *end,
struct quic_frame *frm, struct quic_tx_packet *pkt,
@@ -1129,6 +1131,7 @@
{
int ret = 0;
const struct quic_frame_builder *builder;
+ unsigned char *pos = *buf;
TRACE_ENTER(QUIC_EV_CONN_BFRM, qc);
builder = &quic_frame_builders[frm->type];
@@ -1138,19 +1141,20 @@
BUG_ON(!(builder->mask & (1U << pkt->type)));
}
- if (end <= *buf) {
+ if (end <= pos) {
TRACE_DEVEL("not enough room", QUIC_EV_CONN_BFRM, qc, frm);
goto leave;
}
TRACE_PROTO("frame", QUIC_EV_CONN_BFRM, qc, frm);
- *(*buf)++ = frm->type;
- if (!quic_frame_builders[frm->type].func(buf, end, frm, qc)) {
+ *pos++ = frm->type;
+ if (!quic_frame_builders[frm->type].func(&pos, end, frm, qc)) {
TRACE_DEVEL("frame building error", QUIC_EV_CONN_BFRM, qc, frm);
goto leave;
}
pkt->flags |= builder->flags;
+ *buf = pos;
ret = 1;
leave: