This is an automated email from the ASF dual-hosted git repository. maskit pushed a commit to branch quic-latest in repository https://gitbox.apache.org/repos/asf/trafficserver.git
commit 4503964ea557ffb9e9a9b7d24a070d1abcb76ff8 Author: Masakazu Kitajo <[email protected]> AuthorDate: Sun Jul 15 11:12:25 2018 +0900 Check the buffer size before reading a packet number --- iocore/net/quic/QUICPacket.cc | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/iocore/net/quic/QUICPacket.cc b/iocore/net/quic/QUICPacket.cc index e143181..fd9a1db 100644 --- a/iocore/net/quic/QUICPacket.cc +++ b/iocore/net/quic/QUICPacket.cc @@ -873,6 +873,10 @@ QUICPacket::unprotect_packet_number(uint8_t *packet, size_t packet_len, const QU return false; } unprotected_pn_len = QUICTypeUtil::read_QUICPacketNumberLen(unprotected_pn); + if (pn_offset + unprotected_pn_len > packet_len) { + Debug(tag.data(), "Malformed header: pn_offset=%zu, pn_len=%d", pn_offset, unprotected_pn_len); + return false; + } memcpy(packet + pn_offset, unprotected_pn, unprotected_pn_len); return true; }
