QUIC WIRE: When peeking at number of ACK ranges, ensure enough data is available

Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/21917)

1 files changed, 13 insertions, 1 deletions

diff --git a/ssl/quic/quic_wire.c b/ssl/quic/quic_wire.c
index 0a2130a2d1..a38efa758a 100644
--- a/ssl/quic/quic_wire.c
+++ b/ssl/quic/quic_wire.c
@@ -488,7 +488,7 @@ int ossl_quic_wire_peek_frame_ack_num_ranges(const PACKET *orig_pkt,
                                              uint64_t *total_ranges)
 {
     PACKET pkt = *orig_pkt;
-    uint64_t ack_range_count;
+    uint64_t ack_range_count, i;
 
     if (!expect_frame_header_mask(&pkt, OSSL_QUIC_FRAME_TYPE_ACK_WITHOUT_ECN,
                                   1, NULL)
@@ -497,6 +497,18 @@ int ossl_quic_wire_peek_frame_ack_num_ranges(const PACKET *orig_pkt,
             || !PACKET_get_quic_vlint(&pkt, &ack_range_count))
         return 0;
 
+    /*
+     * Ensure the specified number of ack ranges listed in the ACK frame header
+     * actually are available in the frame data. This naturally bounds the
+     * number of ACK ranges which can be requested by the MDPL, and therefore by
+     * the MTU. This ensures we do not allocate memory for an excessive number
+     * of ACK ranges.
+     */
+    for (i = 0; i < ack_range_count; ++i)
+        if (!PACKET_skip_quic_vlint(&pkt)
+            || !PACKET_skip_quic_vlint(&pkt))
+            return 0;
+
     /* (cannot overflow because QUIC vlints can only encode up to 2**62-1) */
     *total_ranges = ack_range_count + 1;
     return 1;