[PATCH 2 of 7] QUIC: client transport parameter data length checking

Fri May 31 00:58:27 UTC 2024

# HG changeset patch
# User Sergey Kandaurov <pluknet at nginx.com>
# Date 1716902239 -14400
#      Tue May 28 17:17:19 2024 +0400
# Node ID f9bd4667574b1e6b36a04eb0769c510235df5488
# Parent  9e9988d46171cfe26fe0f9d24a51eb38926adbb8
QUIC: client transport parameter data length checking.

diff --git a/src/event/quic/ngx_event_quic_transport.c b/src/event/quic/ngx_event_quic_transport.c
--- a/src/event/quic/ngx_event_quic_transport.c
+++ b/src/event/quic/ngx_event_quic_transport.c
@@ -1750,6 +1750,14 @@ ngx_quic_parse_transport_params(u_char *
             return NGX_ERROR;
         }
 
+        if ((size_t) (end - p) < len) {
+            ngx_log_error(NGX_LOG_INFO, log, 0,
+                          "quic failed to parse"
+                          " transport param id:0x%xL, data length %uL too long",
+                          id, len);
+            return NGX_ERROR;
+        }
+
         rc = ngx_quic_parse_transport_param(p, p + len, id, tp);
 
         if (rc == NGX_ERROR) {


