QUIC: client transport parameter data length checking.

author: Sergey Kandaurov <pluknet@nginx.com> 2024-05-28 17:17:19 +0400
committer: Sergey Kandaurov <pluknet@nginx.com> 2024-05-28 17:17:19 +0400
commit: 683e304e8bfe881ef983a0f9ef5e724eec2bd974 (patch)
tree: d73866caefe34e19c9ac24ed9d18437b76170096
parent: 71ca978a352e025151a78bfcedc0d64814b062cb (diff)
download: nginx-683e304e8bfe881ef983a0f9ef5e724eec2bd974.tar.gz
nginx-683e304e8bfe881ef983a0f9ef5e724eec2bd974.zip
1 files changed, 8 insertions, 0 deletions
diff --git a/src/event/quic/ngx_event_quic_transport.c b/src/event/quic/ngx_event_quic_transport.c
index 19670a6b1..fba098caa 100644
--- a/src/event/quic/ngx_event_quic_transport.c
+++ b/src/event/quic/ngx_event_quic_transport.c
@@ -1750,6 +1750,14 @@ ngx_quic_parse_transport_params(u_char *p, u_char *end, ngx_quic_tp_t *tp,
             return NGX_ERROR;
         }
 
+        if ((size_t) (end - p) < len) {
+            ngx_log_error(NGX_LOG_INFO, log, 0,
+                          "quic failed to parse"
+                          " transport param id:0x%xL, data length %uL too long",
+                          id, len);
+            return NGX_ERROR;
+        }
+
         rc = ngx_quic_parse_transport_param(p, p + len, id, tp);
 
         if (rc == NGX_ERROR) {
author	Sergey Kandaurov <pluknet@nginx.com>	2024-05-28 17:17:19 +0400
committer	Sergey Kandaurov <pluknet@nginx.com>	2024-05-28 17:17:19 +0400
commit	683e304e8bfe881ef983a0f9ef5e724eec2bd974 (patch)
tree	d73866caefe34e19c9ac24ed9d18437b76170096
parent	71ca978a352e025151a78bfcedc0d64814b062cb (diff)
download	nginx-683e304e8bfe881ef983a0f9ef5e724eec2bd974.tar.gz nginx-683e304e8bfe881ef983a0f9ef5e724eec2bd974.zip