From 283938fca59a7930a28e748e8ab7c2d15281c681 Mon Sep 17 00:00:00 2001
From: Hugo Landau <hlandau@openssl.org>
Date: Tue, 6 Jun 2023 16:25:11 +0100
Subject: RFC 9000 s. 19.8: Enforce maximum stream size

Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/21135)
---
 ssl/quic/quic_rx_depack.c | 15 +++++++++++++++
 1 file changed, 15 insertions(+)

diff --git a/ssl/quic/quic_rx_depack.c b/ssl/quic/quic_rx_depack.c
index 6e2067f451..c75363d038 100644
--- a/ssl/quic/quic_rx_depack.c
+++ b/ssl/quic/quic_rx_depack.c
@@ -519,6 +519,21 @@ static int depack_do_frame_stream(PACKET *pkt, QUIC_CHANNEL *ch,
         return 0;
     }
 
+    /*
+     * RFC 9000 s. 19.8: "The largest offset delivered on a stream -- the sum of
+     * the offset and data length -- cannot exceed 2**62 - 1, as it is not
+     * possible to provide flow control credit for that data. Receipt of a frame
+     * that exceeds this limit MUST be treated as a connection error of type
+     * FRAME_ENCODING_ERROR or FLOW_CONTROL_ERROR."
+     */
+    if (frame_data.offset + frame_data.len > (((uint64_t)1) << 62) - 1) {
+        ossl_quic_channel_raise_protocol_error(ch,
+                                               QUIC_ERR_FRAME_ENCODING_ERROR,
+                                               frame_type,
+                                               "oversize stream");
+        return 0;
+    }
+
     switch (stream->recv_state) {
     case QUIC_RSTREAM_STATE_RECV:
     case QUIC_RSTREAM_STATE_SIZE_KNOWN:
-- 
cgit v1.2.3