From: Amaury Denoyelle <adenoyelle@haproxy.com>
Date: Tue, 6 May 2025 16:01:32 +0000 (+0200)
Subject: BUG/MINOR: quic: reject invalid max_udp_payload size
X-Git-Tag: v3.0.11~32
X-Git-Url: http://git.haproxy.org/?a=commitdiff_plain;h=59b285fdfceede1a5c7dfc8190ea6120e83f3d49;p=haproxy-3.0.git

BUG/MINOR: quic: reject invalid max_udp_payload size

Add a checks on received max_udp_payload transport parameters. As
defined per RFC 9000, values below 1200 are invalid, and thus the
connection must be closed with TRANSPORT_PARAMETER_ERROR code.

Prior to this patch, an invalid value was silently ignored.

This should be backported up to 2.6. Note that is relies on previous
patch "MINOR: quic: extend return value on TP parsing".

(cherry picked from commit 4bc7aa548adcd9ee424c65cd346e94f8749dce64)
Signed-off-by: Willy Tarreau <w@1wt.eu>
(cherry picked from commit c806ee0300fd82f6414a172a3c5829afaeb16eac)
Signed-off-by: Christopher Faulet <cfaulet@haproxy.com>
---

diff --git a/src/quic_tp.c b/src/quic_tp.c
index 2c9f50f..bcb60e0 100644
--- a/src/quic_tp.c
+++ b/src/quic_tp.c
@@ -288,6 +288,16 @@ quic_transport_param_decode(struct quic_transport_params *p, int server,
 	case QUIC_TP_MAX_UDP_PAYLOAD_SIZE:
 		if (!quic_dec_int(&p->max_udp_payload_size, buf, end))
 			return QUIC_TP_DEC_ERR_TRUNC;
+
+		/* RFC 9000 18.2. Transport Parameter Definitions
+		 *
+		 * max_udp_payload_size (0x03): [...]
+		 * The default for this parameter is the maximum permitted UDP
+		 * payload of 65527. Values below 1200 are invalid.
+		 */
+		if (p->max_udp_payload_size < 1200)
+			return QUIC_TP_DEC_ERR_INVAL;
+
 		break;
 	case QUIC_TP_INITIAL_MAX_DATA:
 		if (!quic_dec_int(&p->initial_max_data, buf, end))