BUG/MEDIUM: quic: Missing AEAD TAG check after removing header protection After removing the packet header protection, we can check the packet is long enough to contain a 16 bytes length AEAD TAG (at this end of the packet). This test was missing. Must be backported to 2.6.

commit: ffde3168fc7fd093d5e1d904dc9a18dcc53b21b8 [log] [tgz]
author: Frédéric Lécaille <flecaille@haproxy.com> Mon Aug 08 18:41:16 2022 +0200
committer: Frédéric Lécaille <flecaille@haproxy.com> Mon Aug 08 18:41:16 2022 +0200
tree: 03a3333ea26d29e902e96566522f9726f4222e34
parent: adc7641536a93fbcbd7b96502313b8b65c89c575 [diff]
diff --git a/src/xprt_quic.c b/src/xprt_quic.c
index 3705608..1589834 100644
--- a/src/xprt_quic.c
+++ b/src/xprt_quic.c

@@ -4628,6 +4628,11 @@
 
 		/* The AAD includes the packet number field found at <pn>. */
 		pkt->aad_len = pn - beg + pkt->pnl;
+		if (pkt->len - pkt->aad_len < QUIC_TLS_TAG_LEN) {
+			TRACE_PROTO("Too short packet", QUIC_EV_CONN_TRMHP, qc);
+			goto err;
+		}
+
 		qpkt_trace = pkt;
 	}
 	else {
commit	ffde3168fc7fd093d5e1d904dc9a18dcc53b21b8	[log] [tgz]
author	Frédéric Lécaille <flecaille@haproxy.com>	Mon Aug 08 18:41:16 2022 +0200
committer	Frédéric Lécaille <flecaille@haproxy.com>	Mon Aug 08 18:41:16 2022 +0200
tree	03a3333ea26d29e902e96566522f9726f4222e34
parent	adc7641536a93fbcbd7b96502313b8b65c89c575 [diff]