gamzinav/haproxy
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

BUG/MINOR: quic: Safer QUIC frame builders

Browse Source 
Do not rely on the fact the callers of qc_build_frm() handle their
buffer passed to function the correct way (without leaving garbage).
Make qc_build_frm() update the buffer passed as argument only if
the frame it builds is well formed.

As far as I sse, there is no such callers which does not handle
carefully such buffers.

Must be backported to 2.6.

(cherry picked from commit b8047de11a4a4083a9fc92bf2bd4b731163fc149)
Signed-off-by: Christopher Faulet <cfaulet@haproxy.com>
This commit is contained in:
Frédéric Lécaille 2022-08-23 17:40:09 +02:00 committed by Christopher Faulet
parent 0ebceedaf4
commit c1b17a46cb
2 changed files with 8 additions and 7 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

10
src/quic_frame.c
View File

@ -1117,12 +1117,15 @@ int qc_parse_frm(struct quic_frame *frm, struct quic_rx_packet *pkt,
/* Encode <frm> QUIC frame into <buf> buffer.
* Returns 1 if succeeded (enough room in <buf> to encode the frame), 0 if not.
* The buffer is updated to point to one byte past the end of the built frame
* only if succeeded.
*/
int qc_build_frm(unsigned char **buf, const unsigned char *end,
struct quic_frame *frm, struct quic_tx_packet *pkt,
struct quic_conn *qc)
{
const struct quic_frame_builder *builder;
unsigned char *pos = *buf;
builder = &quic_frame_builders[frm->type];
if (!(builder->mask & (1U << pkt->type))) {
@ -1131,19 +1134,20 @@ int qc_build_frm(unsigned char **buf, const unsigned char *end,
BUG_ON(!(builder->mask & (1U << pkt->type)));
}
if (end <= *buf) {
if (end <= pos) {
TRACE_DEVEL("not enough room", QUIC_EV_CONN_BFRM, qc, frm);
return 0;
}
TRACE_PROTO("frame", QUIC_EV_CONN_BFRM, qc, frm);
*(*buf)++ = frm->type;
if (!quic_frame_builders[frm->type].func(buf, end, frm, qc)) {
*pos++ = frm->type;
if (!quic_frame_builders[frm->type].func(&pos, end, frm, qc)) {
TRACE_DEVEL("frame building error", QUIC_EV_CONN_BFRM, qc, frm);
return 0;
}
pkt->flags |= builder->flags;
*buf = pos;
return 1;
}

5
src/xprt_quic.c
View File

@ -6199,9 +6199,7 @@ static int qc_do_build_pkt(unsigned char *pos, const unsigned char *end,
if (!LIST_ISEMPTY(&frm_list)) {
struct quic_frame *tmp_cf;
list_for_each_entry_safe(cf, tmp_cf, &frm_list, list) {
unsigned char *spos = pos;
if (!qc_build_frm(&spos, end, cf, pkt, qc)) {
if (!qc_build_frm(&pos, end, cf, pkt, qc)) {
ssize_t room = end - pos;
TRACE_PROTO("Not enough room", QUIC_EV_CONN_HPKT,
qc, NULL, NULL, &room);
@ -6215,7 +6213,6 @@ static int qc_do_build_pkt(unsigned char *pos, const unsigned char *end,
break;
}
pos = spos;
quic_tx_packet_refinc(pkt);
cf->pkt = pkt;
}