From ffde3168fc7fd093d5e1d904dc9a18dcc53b21b8 Mon Sep 17 00:00:00 2001 From: =?utf8?q?Fr=C3=A9d=C3=A9ric=20L=C3=A9caille?= Date: Mon, 8 Aug 2022 18:41:16 +0200 Subject: [PATCH] BUG/MEDIUM: quic: Missing AEAD TAG check after removing header protection After removing the packet header protection, we can check the packet is long enough to contain a 16 bytes length AEAD TAG (at this end of the packet). This test was missing. Must be backported to 2.6. --- src/xprt_quic.c | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/src/xprt_quic.c b/src/xprt_quic.c index 370560848..1589834f1 100644 --- a/src/xprt_quic.c +++ b/src/xprt_quic.c @@ -4628,6 +4628,11 @@ static inline int qc_try_rm_hp(struct quic_conn *qc, /* The AAD includes the packet number field found at . */ pkt->aad_len = pn - beg + pkt->pnl; + if (pkt->len - pkt->aad_len < QUIC_TLS_TAG_LEN) { + TRACE_PROTO("Too short packet", QUIC_EV_CONN_TRMHP, qc); + goto err; + } + qpkt_trace = pkt; } else { -- 2.47.3