RFC 9000 s. 19.8: Enforce maximum stream size

Reviewed-by: Tomas Mraz <tomas@openssl.org> Reviewed-by: Matt Caswell <matt@openssl.org> Reviewed-by: Paul Dale <pauli@openssl.org> (Merged from https://github.com/openssl/openssl/pull/21135)
author: Hugo Landau <hlandau@openssl.org> 2023-06-06 16:25:11 +0100
committer: Pauli <pauli@openssl.org> 2023-07-17 08:17:57 +1000
commit: 283938fca59a7930a28e748e8ab7c2d15281c681 (patch)
tree: c635fef243213082cb9168112d194edda07a9436
parent: 212616ed098bcf1190b6f687b234393b33168ba9 (diff)
1 files changed, 15 insertions, 0 deletions
diff --git a/ssl/quic/quic_rx_depack.c b/ssl/quic/quic_rx_depack.c
index 6e2067f451..c75363d038 100644
--- a/ssl/quic/quic_rx_depack.c
+++ b/ssl/quic/quic_rx_depack.c
@@ -519,6 +519,21 @@ static int depack_do_frame_stream(PACKET *pkt, QUIC_CHANNEL *ch,
         return 0;
     }
 
+    /*
+     * RFC 9000 s. 19.8: "The largest offset delivered on a stream -- the sum of
+     * the offset and data length -- cannot exceed 2**62 - 1, as it is not
+     * possible to provide flow control credit for that data. Receipt of a frame
+     * that exceeds this limit MUST be treated as a connection error of type
+     * FRAME_ENCODING_ERROR or FLOW_CONTROL_ERROR."
+     */
+    if (frame_data.offset + frame_data.len > (((uint64_t)1) << 62) - 1) {
+        ossl_quic_channel_raise_protocol_error(ch,
+                                               QUIC_ERR_FRAME_ENCODING_ERROR,
+                                               frame_type,
+                                               "oversize stream");
+        return 0;
+    }
+
     switch (stream->recv_state) {
     case QUIC_RSTREAM_STATE_RECV:
     case QUIC_RSTREAM_STATE_SIZE_KNOWN:
author	Hugo Landau <hlandau@openssl.org>	2023-06-06 16:25:11 +0100
committer	Pauli <pauli@openssl.org>	2023-07-17 08:17:57 +1000
commit	283938fca59a7930a28e748e8ab7c2d15281c681 (patch)
tree	c635fef243213082cb9168112d194edda07a9436
parent	212616ed098bcf1190b6f687b234393b33168ba9 (diff)