diff options
author | Hugo Landau <hlandau@openssl.org> | 2023-08-31 13:20:05 +0100 |
---|---|---|
committer | Hugo Landau <hlandau@openssl.org> | 2023-09-01 14:06:18 +0100 |
commit | a31601cc3ffca7de688aabcd34d83ff2c4496e17 (patch) | |
tree | 20a4af8cb7131a48d8fd15a62034f96064b2284d | |
parent | d5c3f4b2dba0202c589d1d733e88e392794dce41 (diff) |
QUIC WIRE: When peeking at number of ACK ranges, ensure enough data is available
Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/21917)
-rw-r--r-- | ssl/quic/quic_wire.c | 14 |
1 files changed, 13 insertions, 1 deletions
diff --git a/ssl/quic/quic_wire.c b/ssl/quic/quic_wire.c index 0a2130a2d1..a38efa758a 100644 --- a/ssl/quic/quic_wire.c +++ b/ssl/quic/quic_wire.c @@ -488,7 +488,7 @@ int ossl_quic_wire_peek_frame_ack_num_ranges(const PACKET *orig_pkt, uint64_t *total_ranges) { PACKET pkt = *orig_pkt; - uint64_t ack_range_count; + uint64_t ack_range_count, i; if (!expect_frame_header_mask(&pkt, OSSL_QUIC_FRAME_TYPE_ACK_WITHOUT_ECN, 1, NULL) @@ -497,6 +497,18 @@ int ossl_quic_wire_peek_frame_ack_num_ranges(const PACKET *orig_pkt, || !PACKET_get_quic_vlint(&pkt, &ack_range_count)) return 0; + /* + * Ensure the specified number of ack ranges listed in the ACK frame header + * actually are available in the frame data. This naturally bounds the + * number of ACK ranges which can be requested by the MDPL, and therefore by + * the MTU. This ensures we do not allocate memory for an excessive number + * of ACK ranges. + */ + for (i = 0; i < ack_range_count; ++i) + if (!PACKET_skip_quic_vlint(&pkt) + || !PACKET_skip_quic_vlint(&pkt)) + return 0; + /* (cannot overflow because QUIC vlints can only encode up to 2**62-1) */ *total_ranges = ack_range_count + 1; return 1; |