From d796a31945628c562392d7d37c278579a18404cd Mon Sep 17 00:00:00 2001 From: Olivier Houchard Date: Fri, 29 May 2026 16:03:26 +0200 Subject: [PATCH] BUG/MINOR: quic: Fix another buffer overflow with sockaddr_in46 Very similarly to what was fixed with commit 63f853957af3ee062493bb3700f964ce456125b0, we cast a sockaddr_in46 in quic_dgram_parse() to sockaddr_storage while providing source and destination addresses to qc_handle_conn_migration(), which will then copy the whole sockaddr_storage, thus reading memory past what was provided. While this most likely won't have any impact, let's do the right thing, and use in46un_to_addr() to generate a real sockaddr_storage. This does not need to be backported. --- src/quic_rx.c | 7 ++++--- 1 file changed, 4 insertions(+), 3 deletions(-) diff --git a/src/quic_rx.c b/src/quic_rx.c index e0dd4036e..06b3f3e99 100644 --- a/src/quic_rx.c +++ b/src/quic_rx.c @@ -2494,9 +2494,10 @@ int quic_dgram_parse(struct quic_dgram *dgram, struct quic_conn *from_qc, /* Detect QUIC connection migration. */ if (li && ipcmp(&qc->peer_addr, (struct sockaddr_storage *)&dgram->saddr, 1)) { - if (qc_handle_conn_migration(qc, - (struct sockaddr_storage *)&dgram->saddr, - (struct sockaddr_storage *)&dgram->daddr)) { + struct sockaddr_storage src, dst; + in46un_to_addr(&dgram->saddr, &src); + in46un_to_addr(&dgram->daddr, &dst); + if (qc_handle_conn_migration(qc, &src, &dst)) { /* Skip the entire datagram. */ TRACE_ERROR("error during connection migration, datagram dropped", QUIC_EV_CONN_LPKT, qc); pkt->len = end - pos; -- 2.47.3