# HG changeset patch
# User Sergey Kandaurov <pluknet@nginx.com>
# Date 1584807759 -10800
# Node ID 556b34a863b2545018003169024566294a4b3744
# Parent  856d5a2de2584cb5b93a4651786bac1d04de6299
Fixed buffer overrun in create_transport_params() with -24.

It writes 16-bit prefix as designed, but length calculation assumed varint.

diff -r 856d5a2de258 -r 556b34a863b2 src/event/ngx_event_quic_transport.c
--- a/src/event/ngx_event_quic_transport.c	Sat Mar 21 18:44:10 2020 +0300
+++ b/src/event/ngx_event_quic_transport.c	Sat Mar 21 19:22:39 2020 +0300
@@ -1136,7 +1136,7 @@
 
     if (pos == NULL) {
 #if (quic_version < 0xff00001b)
-        len += ngx_quic_varint_len(len);
+        len += 2;
 #endif
         return len;
     }