From: Amaury Denoyelle <adenoyelle@haproxy.com>
Date: Tue, 6 May 2025 15:59:21 +0000 (+0200)
Subject: BUG/MINOR: quic: use proper error code on invalid server TP
X-Git-Tag: v3.0.11~36
X-Git-Url: http://git.haproxy.org/?a=commitdiff_plain;h=2284f5d3da22ab6c36f8dd5d696e3ddcc6c0694f;p=haproxy-3.0.git

BUG/MINOR: quic: use proper error code on invalid server TP

This commit is similar to the previous one. It fixes the error code
reported when dealing with invalid received transport parameters. This
time, it handles reception of original_destination_connection_id,
preferred_address and stateless_reset_token which must not be emitted by
the client.

This should be backported up to 2.6. Note that is relies on previous
patch "MINOR: quic: extend return value on TP parsing".

(cherry picked from commit a54fdd3d926fabfc438dbaedbd3d08814fb99862)
Signed-off-by: Willy Tarreau <w@1wt.eu>
(cherry picked from commit b70be5c97c713c12e9e2a2483b7c52a5a849fcd4)
Signed-off-by: Christopher Faulet <cfaulet@haproxy.com>
---

diff --git a/src/quic_tp.c b/src/quic_tp.c
index cd04730..6e53d7f 100644
--- a/src/quic_tp.c
+++ b/src/quic_tp.c
@@ -232,9 +232,19 @@ quic_transport_param_decode(struct quic_transport_params *p, int server,
 
 	switch (type) {
 	case QUIC_TP_ORIGINAL_DESTINATION_CONNECTION_ID:
-		if (!server || len > sizeof p->original_destination_connection_id.data)
-			return QUIC_TP_DEC_ERR_TRUNC;
+		/* RFC 9000 18.2. Transport Parameter Definitions
+		 *
+		 * A client MUST NOT include any server-only transport parameter:
+		 * original_destination_connection_id, preferred_address,
+		 * retry_source_connection_id, or stateless_reset_token. A server MUST
+		 * treat receipt of any of these transport parameters as a connection
+		 * error of type TRANSPORT_PARAMETER_ERROR.
+		 */
+		if (!server)
+			return QUIC_TP_DEC_ERR_INVAL;
 
+		if (len > sizeof p->original_destination_connection_id.data)
+			return QUIC_TP_DEC_ERR_TRUNC;
 		if (len)
 			memcpy(p->original_destination_connection_id.data, *buf, len);
 		p->original_destination_connection_id.len = len;
@@ -252,15 +262,21 @@ quic_transport_param_decode(struct quic_transport_params *p, int server,
 		p->initial_source_connection_id_present = 1;
 		break;
 	case QUIC_TP_STATELESS_RESET_TOKEN:
-		if (!server || len != sizeof p->stateless_reset_token)
+		/* see original_destination_connection_id RFC reference above. */
+		if (!server)
+			return QUIC_TP_DEC_ERR_INVAL;
+
+		if (len != sizeof p->stateless_reset_token)
 			return QUIC_TP_DEC_ERR_TRUNC;
 		memcpy(p->stateless_reset_token, *buf, len);
 		*buf += len;
 		p->with_stateless_reset_token = 1;
 		break;
 	case QUIC_TP_PREFERRED_ADDRESS:
+		/* see original_destination_connection_id RFC reference above. */
 		if (!server)
-			return QUIC_TP_DEC_ERR_TRUNC;
+			return QUIC_TP_DEC_ERR_INVAL;
+
 		if (!quic_transport_param_dec_pref_addr(&p->preferred_address, buf, *buf + len))
 			return QUIC_TP_DEC_ERR_TRUNC;
 		p->with_preferred_address = 1;