[nginx] QUIC: client transport parameter data length checking.

Wed May 29 14:57:42 UTC 2024

details:   https://hg.nginx.org/nginx/rev/371b6a7d0673
branches:  
changeset: 9250:371b6a7d0673
user:      Sergey Kandaurov <pluknet at nginx.com>
date:      Tue May 28 17:17:19 2024 +0400
description:
QUIC: client transport parameter data length checking.

diffstat:

 src/event/quic/ngx_event_quic_transport.c |  8 ++++++++
 1 files changed, 8 insertions(+), 0 deletions(-)

diffs (18 lines):

diff -r 2e9588d65dd9 -r 371b6a7d0673 src/event/quic/ngx_event_quic_transport.c

--- a/src/event/quic/ngx_event_quic_transport.c	Sat Nov 25 21:57:09 2023 +0000
+++ b/src/event/quic/ngx_event_quic_transport.c	Tue May 28 17:17:19 2024 +0400
@@ -1750,6 +1750,14 @@ ngx_quic_parse_transport_params(u_char *
             return NGX_ERROR;
         }
 
+        if ((size_t) (end - p) < len) {
+            ngx_log_error(NGX_LOG_INFO, log, 0,
+                          "quic failed to parse"
+                          " transport param id:0x%xL, data length %uL too long",
+                          id, len);
+            return NGX_ERROR;
+        }
+
         rc = ngx_quic_parse_transport_param(p, p + len, id, tp);
 
         if (rc == NGX_ERROR) {
