You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@trafficserver.apache.org by ma...@apache.org on 2018/07/12 01:35:48 UTC
[trafficserver] branch quic-latest updated: Check buffer length
before reading packet length
This is an automated email from the ASF dual-hosted git repository.
maskit pushed a commit to branch quic-latest
in repository https://gitbox.apache.org/repos/asf/trafficserver.git
The following commit(s) were added to refs/heads/quic-latest by this push:
new 747c741 Check buffer length before reading packet length
747c741 is described below
commit 747c7419f1f5a8b704ef904297f5f1c7532bb18b
Author: Masakazu Kitajo <ma...@apache.org>
AuthorDate: Thu Jul 12 10:31:34 2018 +0900
Check buffer length before reading packet length
---
iocore/net/quic/QUICPacket.cc | 15 ++++++++++++---
1 file changed, 12 insertions(+), 3 deletions(-)
diff --git a/iocore/net/quic/QUICPacket.cc b/iocore/net/quic/QUICPacket.cc
index 5a18b33..6678eb7 100644
--- a/iocore/net/quic/QUICPacket.cc
+++ b/iocore/net/quic/QUICPacket.cc
@@ -248,7 +248,10 @@ QUICPacketLongHeader::length(size_t &length, uint8_t *field_len, const uint8_t *
QUICPacketLongHeader::scil(scil, packet, packet_len);
size_t length_offset = LONG_HDR_OFFSET_CONNECTION_ID + dcil + scil;
- length = QUICIntUtil::read_QUICVariableInt(packet + length_offset);
+ if (length_offset >= packet_len) {
+ return false;
+ }
+ length = QUICIntUtil::read_QUICVariableInt(packet + length_offset);
if (field_len) {
*field_len = QUICVariableInt::size(packet + length_offset);
}
@@ -846,14 +849,20 @@ QUICPacket::unprotect_packet_number(uint8_t *packet, size_t packet_len, const QU
phase = QUICKeyPhase::CLEARTEXT;
break;
}
- QUICPacketLongHeader::packet_number_offset(pn_offset, packet, packet_len);
+ if (!QUICPacketLongHeader::packet_number_offset(pn_offset, packet, packet_len)) {
+ Debug("quic", "Failed to calculate packet number offset");
+ return false;
+ }
Debug("quic", "Unprotecting a packet number of %s packet using %s", QUICDebugNames::packet_type(type),
QUICDebugNames::key_phase(phase));
} else {
QUICPacketShortHeader::key_phase(phase, packet, packet_len);
- QUICPacketShortHeader::packet_number_offset(pn_offset, packet, packet_len, QUICConfigParams::scid_len());
+ if (!QUICPacketShortHeader::packet_number_offset(pn_offset, packet, packet_len, QUICConfigParams::scid_len())) {
+ Debug("quic", "Failed to calculate packet number offset");
+ return false;
+ }
}
sample_offset = std::min(pn_offset + 4, packet_len - aead_expansion);