From: Olivier Houchard Date: Fri, 29 May 2026 14:03:26 +0000 (+0200) Subject: BUG/MINOR: quic: Fix another buffer overflow with sockaddr_in46 X-Git-Tag: v3.4.0~51 X-Git-Url: http://git.kaiwu.me/postgresql/log/contrib/postgres_fdw/static/gitweb.js?a=commitdiff_plain;h=d796a31945628c562392d7d37c278579a18404cd;p=haproxy.git BUG/MINOR: quic: Fix another buffer overflow with sockaddr_in46 Very similarly to what was fixed with commit 63f853957af3ee062493bb3700f964ce456125b0, we cast a sockaddr_in46 in quic_dgram_parse() to sockaddr_storage while providing source and destination addresses to qc_handle_conn_migration(), which will then copy the whole sockaddr_storage, thus reading memory past what was provided. While this most likely won't have any impact, let's do the right thing, and use in46un_to_addr() to generate a real sockaddr_storage. This does not need to be backported. --- diff --git a/src/quic_rx.c b/src/quic_rx.c index e0dd4036e..06b3f3e99 100644 --- a/src/quic_rx.c +++ b/src/quic_rx.c @@ -2494,9 +2494,10 @@ int quic_dgram_parse(struct quic_dgram *dgram, struct quic_conn *from_qc, /* Detect QUIC connection migration. */ if (li && ipcmp(&qc->peer_addr, (struct sockaddr_storage *)&dgram->saddr, 1)) { - if (qc_handle_conn_migration(qc, - (struct sockaddr_storage *)&dgram->saddr, - (struct sockaddr_storage *)&dgram->daddr)) { + struct sockaddr_storage src, dst; + in46un_to_addr(&dgram->saddr, &src); + in46un_to_addr(&dgram->daddr, &dst); + if (qc_handle_conn_migration(qc, &src, &dst)) { /* Skip the entire datagram. */ TRACE_ERROR("error during connection migration, datagram dropped", QUIC_EV_CONN_LPKT, qc); pkt->len = end - pos;