From: Amaury Denoyelle Date: Tue, 26 May 2026 15:21:07 +0000 (+0200) Subject: BUG/MINOR: quic: reject packet too short for HP decryption X-Git-Tag: v3.4-dev14~10 X-Git-Url: http://git.kaiwu.me/postgresql/log/contrib/postgres_fdw/NGINX-js-1660x332.png%20%22NGINX%20JavaScript%20Banner%22?a=commitdiff_plain;h=ce9371a768a6df6591bd8cc4c44c61f5a3049925;p=haproxy.git BUG/MINOR: quic: reject packet too short for HP decryption Header protection can only be performed on a packet of a minimal size. There was already a check for this in qc_do_rm_hp() but it did not use the correct value. Fix this by using the correct minimal size which is 20 bytes starting from the packet number offset. This is enough to decrypt 4 bytes (PN max size) and 16 bytes of IV. If the packet is not big enough, it is still silently discarded. This must be backported up to 2.6. --- diff --git a/src/quic_rx.c b/src/quic_rx.c index 45c33c442..121780108 100644 --- a/src/quic_rx.c +++ b/src/quic_rx.c @@ -88,7 +88,7 @@ static int qc_do_rm_hp(struct quic_conn *qc, ret = 0; /* Check there is enough data in this packet. */ - if (pkt->len - (pn - byte0) < QUIC_PACKET_PN_MAXLEN + sizeof mask) { + if (pkt->len - pkt->pn_offset < QUIC_PACKET_PN_MAXLEN + QUIC_TLS_TAG_LEN) { TRACE_PROTO("too short packet", QUIC_EV_CONN_RMHP, qc, pkt); goto leave; }