Fixed buffer overrun in create_transport_params() with -24.

It writes 16-bit prefix as designed, but length calculation assumed varint.

diff --git a/src/event/ngx_event_quic_transport.c b/src/event/ngx_event_quic_transport.c
index 577ad7d45fa5815fb9a695d9b1d9629d298f17b9..826af2bdd68aa3fd1ba7d62d1540df45a2d8306c 100644 (file)
--- a/src/event/ngx_event_quic_transport.c
+++ b/src/event/ngx_event_quic_transport.c
@@ -1136,7 +1136,7 @@ ngx_quic_create_transport_params(u_char *pos, u_char *end, ngx_quic_tp_t *tp)
 
     if (pos == NULL) {
 #if (quic_version < 0xff00001b)
-        len += ngx_quic_varint_len(len);
+        len += 2;
 #endif
         return len;
     }