BUG/MINOR: quic: fix TP reject on invalid max-ack-delay

Checks are implemented on some received transport parameter values,
to reject invalid ones defined per RFC 9000. This is the case for
max_ack_delay parameter.

The check was not properly implemented as it only reject values strictly
greater than the limit set to 2^14. Fix this by rejecting values of 2^14
and above. Also, the proper error code TRANSPORT_PARAMETER_ERROR is now
set.

This should be backported up to 2.6. Note that is relies on previous
patch "MINOR: quic: extend return value on TP parsing".

(cherry picked from commit ffabfb0fc3ad8774024d152fc31a7711a8a9c382)
Signed-off-by: Willy Tarreau <w@1wt.eu>
(cherry picked from commit 732bba41245e2365eb24bdbb856f5ed44f06d262)
Signed-off-by: Christopher Faulet <cfaulet@haproxy.com>

diff --git a/src/quic_tp.c b/src/quic_tp.c
index 618cab1..2c9f50f 100644 (file)
--- a/src/quic_tp.c
+++ b/src/quic_tp.c
@@ -327,9 +327,17 @@ quic_transport_param_decode(struct quic_transport_params *p, int server,
 
                break;
        case QUIC_TP_MAX_ACK_DELAY:
-               if (!quic_dec_int(&p->max_ack_delay, buf, end) ||
-                       p->max_ack_delay > QUIC_TP_MAX_ACK_DELAY_LIMIT)
+               if (!quic_dec_int(&p->max_ack_delay, buf, end))
                        return QUIC_TP_DEC_ERR_TRUNC;
+
+               /* RFC 9000 18.2. Transport Parameter Definitions
+                *
+                * max_ack_delay (0x0b): [...]
+                * Values of 2^14 or greater are invalid.
+                */
+               if (p->max_ack_delay >= QUIC_TP_MAX_ACK_DELAY_LIMIT)
+                       return QUIC_TP_DEC_ERR_INVAL;
+
                break;
        case QUIC_TP_DISABLE_ACTIVE_MIGRATION:
                /* Zero-length parameter type. */