]> git.kaiwu.me - haproxy.git/commitdiff
BUG/MINOR: quic: Fix another buffer overflow with sockaddr_in46
authorOlivier Houchard <ohouchard@haproxy.com>
Fri, 29 May 2026 14:03:26 +0000 (16:03 +0200)
committerOlivier Houchard <cognet@ci0.org>
Fri, 29 May 2026 13:36:43 +0000 (15:36 +0200)
Very similarly to what was fixed with commit
63f853957af3ee062493bb3700f964ce456125b0, we cast a sockaddr_in46 in
quic_dgram_parse() to sockaddr_storage while providing source and
destination addresses to qc_handle_conn_migration(), which will then
copy the whole sockaddr_storage, thus reading memory past what was
provided.
While this most likely won't have any impact, let's do the right thing,
and use in46un_to_addr() to generate a real sockaddr_storage.
This does not need to be backported.

src/quic_rx.c

index e0dd4036efbce14cfdb8b34313a93a0c13a59a7b..06b3f3e99a0bac12a5a095de5e2885be2f8b9195 100644 (file)
@@ -2494,9 +2494,10 @@ int quic_dgram_parse(struct quic_dgram *dgram, struct quic_conn *from_qc,
 
                /* Detect QUIC connection migration. */
                if (li && ipcmp(&qc->peer_addr, (struct sockaddr_storage *)&dgram->saddr, 1)) {
-                       if (qc_handle_conn_migration(qc,
-                           (struct sockaddr_storage *)&dgram->saddr,
-                           (struct sockaddr_storage *)&dgram->daddr)) {
+                       struct sockaddr_storage src, dst;
+                       in46un_to_addr(&dgram->saddr, &src);
+                       in46un_to_addr(&dgram->daddr, &dst);
+                       if (qc_handle_conn_migration(qc, &src, &dst)) {
                                /* Skip the entire datagram. */
                                TRACE_ERROR("error during connection migration, datagram dropped", QUIC_EV_CONN_LPKT, qc);
                                pkt->len = end - pos;