You are viewing a plain text version of this content. The canonical link for it is here.

Posted to commits@trafficserver.apache.org by ma...@apache.org on 2018/07/12 01:35:48 UTC

[trafficserver] branch quic-latest updated: Check buffer length before reading packet length

This is an automated email from the ASF dual-hosted git repository.

maskit pushed a commit to branch quic-latest
in repository https://gitbox.apache.org/repos/asf/trafficserver.git


The following commit(s) were added to refs/heads/quic-latest by this push:
     new 747c741  Check buffer length before reading packet length
747c741 is described below

commit 747c7419f1f5a8b704ef904297f5f1c7532bb18b
Author: Masakazu Kitajo <ma...@apache.org>
AuthorDate: Thu Jul 12 10:31:34 2018 +0900

    Check buffer length before reading packet length
---
 iocore/net/quic/QUICPacket.cc | 15 ++++++++++++---
 1 file changed, 12 insertions(+), 3 deletions(-)

diff --git a/iocore/net/quic/QUICPacket.cc b/iocore/net/quic/QUICPacket.cc
index 5a18b33..6678eb7 100644
--- a/iocore/net/quic/QUICPacket.cc
+++ b/iocore/net/quic/QUICPacket.cc
@@ -248,7 +248,10 @@ QUICPacketLongHeader::length(size_t &length, uint8_t *field_len, const uint8_t *
   QUICPacketLongHeader::scil(scil, packet, packet_len);
 
   size_t length_offset = LONG_HDR_OFFSET_CONNECTION_ID + dcil + scil;
-  length               = QUICIntUtil::read_QUICVariableInt(packet + length_offset);
+  if (length_offset >= packet_len) {
+    return false;
+  }
+  length = QUICIntUtil::read_QUICVariableInt(packet + length_offset);
   if (field_len) {
     *field_len = QUICVariableInt::size(packet + length_offset);
   }
@@ -846,14 +849,20 @@ QUICPacket::unprotect_packet_number(uint8_t *packet, size_t packet_len, const QU
       phase = QUICKeyPhase::CLEARTEXT;
       break;
     }
-    QUICPacketLongHeader::packet_number_offset(pn_offset, packet, packet_len);
+    if (!QUICPacketLongHeader::packet_number_offset(pn_offset, packet, packet_len)) {
+      Debug("quic", "Failed to calculate packet number offset");
+      return false;
+    }
 
     Debug("quic", "Unprotecting a packet number of %s packet using %s", QUICDebugNames::packet_type(type),
           QUICDebugNames::key_phase(phase));
 
   } else {
     QUICPacketShortHeader::key_phase(phase, packet, packet_len);
-    QUICPacketShortHeader::packet_number_offset(pn_offset, packet, packet_len, QUICConfigParams::scid_len());
+    if (!QUICPacketShortHeader::packet_number_offset(pn_offset, packet, packet_len, QUICConfigParams::scid_len())) {
+      Debug("quic", "Failed to calculate packet number offset");
+      return false;
+    }
   }
   sample_offset = std::min(pn_offset + 4, packet_len - aead_expansion);