From 732bba41245e2365eb24bdbb856f5ed44f06d262 Mon Sep 17 00:00:00 2001 From: Amaury Denoyelle Date: Tue, 6 May 2025 18:01:09 +0200 Subject: [PATCH] BUG/MINOR: quic: fix TP reject on invalid max-ack-delay Checks are implemented on some received transport parameter values, to reject invalid ones defined per RFC 9000. This is the case for max_ack_delay parameter. The check was not properly implemented as it only reject values strictly greater than the limit set to 2^14. Fix this by rejecting values of 2^14 and above. Also, the proper error code TRANSPORT_PARAMETER_ERROR is now set. This should be backported up to 2.6. Note that is relies on previous patch "MINOR: quic: extend return value on TP parsing". (cherry picked from commit ffabfb0fc3ad8774024d152fc31a7711a8a9c382) Signed-off-by: Willy Tarreau --- src/quic_tp.c | 12 ++++++++++-- 1 file changed, 10 insertions(+), 2 deletions(-) diff --git a/src/quic_tp.c b/src/quic_tp.c index 618cab1..2c9f50f 100644 --- a/src/quic_tp.c +++ b/src/quic_tp.c @@ -327,9 +327,17 @@ quic_transport_param_decode(struct quic_transport_params *p, int server, break; case QUIC_TP_MAX_ACK_DELAY: - if (!quic_dec_int(&p->max_ack_delay, buf, end) || - p->max_ack_delay > QUIC_TP_MAX_ACK_DELAY_LIMIT) + if (!quic_dec_int(&p->max_ack_delay, buf, end)) return QUIC_TP_DEC_ERR_TRUNC; + + /* RFC 9000 18.2. Transport Parameter Definitions + * + * max_ack_delay (0x0b): [...] + * Values of 2^14 or greater are invalid. + */ + if (p->max_ack_delay >= QUIC_TP_MAX_ACK_DELAY_LIMIT) + return QUIC_TP_DEC_ERR_INVAL; + break; case QUIC_TP_DISABLE_ACTIVE_MIGRATION: /* Zero-length parameter type. */ -- 1.7.10.4