# HG changeset patch
# User Sergey Kandaurov <pluknet@nginx.com>
# Date 1716902239 -14400
# Node ID 081d4beeb591dd5737c26bfb0647e536979801f3
# Parent  da400acf37560f6c97dd008c3bb76c4d0f01b79f
QUIC: client transport parameter data length checking.

diff -r da400acf3756 -r 081d4beeb591 src/event/quic/ngx_event_quic_transport.c
--- a/src/event/quic/ngx_event_quic_transport.c	Wed Apr 10 09:38:10 2024 +0300
+++ b/src/event/quic/ngx_event_quic_transport.c	Tue May 28 17:17:19 2024 +0400
@@ -1750,6 +1750,14 @@
             return NGX_ERROR;
         }
 
+        if ((size_t) (end - p) < len) {
+            ngx_log_error(NGX_LOG_INFO, log, 0,
+                          "quic failed to parse"
+                          " transport param id:0x%xL, data length %uL too long",
+                          id, len);
+            return NGX_ERROR;
+        }
+
         rc = ngx_quic_parse_transport_param(p, p + len, id, tp);
 
         if (rc == NGX_ERROR) {