BUG/MAJOR: qpack: fix possible read out of bounds in static table CertiK Skyfall Team reported that passing an index greater than QPACK_SHT_SIZE in a qpack instruction referencing a literal field name with name reference or and indexed field line will cause a read out of bounds that may crash the process, and confirmed that this fix addresses the issue. This needs to be backported as far as 2.5.

commit: f41dfc22b20b2b5c295e8d80e062b896e7153b88 [log] [tgz]
author: Willy Tarreau <w@1wt.eu> Fri Mar 17 16:40:09 2023 +0100
committer: Willy Tarreau <w@1wt.eu> Fri Mar 17 16:43:51 2023 +0100
tree: e693e845b334cdde5de5a85e914ed8e07fe19f82
parent: 5b4e16ee2d809b9d7aeb72fdff8c330718659c73 [diff]
diff --git a/src/qpack-dec.c b/src/qpack-dec.c
index 2d81156..a6e2923 100644
--- a/src/qpack-dec.c
+++ b/src/qpack-dec.c

@@ -335,7 +335,7 @@
 				goto out;
 			}
 
-			if (static_tbl) {
+			if (static_tbl && index < QPACK_SHT_SIZE) {
 				name = qpack_sht[index].n;
 				value = qpack_sht[index].v;
 			}
@@ -370,7 +370,7 @@
 				goto out;
 			}
 
-			if (static_tbl) {
+			if (static_tbl && index < QPACK_SHT_SIZE) {
 				name = qpack_sht[index].n;
 			}
 			else {
commit	f41dfc22b20b2b5c295e8d80e062b896e7153b88	[log] [tgz]
author	Willy Tarreau <w@1wt.eu>	Fri Mar 17 16:40:09 2023 +0100
committer	Willy Tarreau <w@1wt.eu>	Fri Mar 17 16:43:51 2023 +0100
tree	e693e845b334cdde5de5a85e914ed8e07fe19f82
parent	5b4e16ee2d809b9d7aeb72fdff8c330718659c73 [diff]