(trafficserver) branch master updated: Update Http3Frame.cc - fix Use-of-uninitialized-value error (#11400)

[kichan]

This is an automated email from the ASF dual-hosted git repository.

kichan pushed a commit to branch master
in repository https://gitbox.apache.org/repos/asf/trafficserver.git


The following commit(s) were added to refs/heads/master by this push:
     new 4d07954652 Update Http3Frame.cc - fix Use-of-uninitialized-value error 
(#11400)
4d07954652 is described below

commit 4d07954652878700269140173a5630ad38c49fa2
Author: Kit Chan <kic...@apache.org>
AuthorDate: Tue Jun 4 18:20:06 2024 +0200

    Update Http3Frame.cc - fix Use-of-uninitialized-value error (#11400)
    
    * Update Http3Frame.cc
    
    * Update Http3Frame.cc
    
    * Update Http3Frame.cc
    
    * Update Http3Frame.cc
    
    * Update Http3Frame.cc
    
    * Update Http3Frame.cc
---
 src/proxy/http3/Http3Frame.cc | 23 +++++++++++++++++------
 1 file changed, 17 insertions(+), 6 deletions(-)

diff --git a/src/proxy/http3/Http3Frame.cc b/src/proxy/http3/Http3Frame.cc
index c429919217..96c46f794d 100644
--- a/src/proxy/http3/Http3Frame.cc
+++ b/src/proxy/http3/Http3Frame.cc
@@ -277,13 +277,24 @@ Http3SettingsFrame::Http3SettingsFrame(const uint8_t 
*buf, size_t buf_len, uint3
       break;
     }
 
-    size_t   id_len  = QUICVariableInt::size(buf + len);
-    uint16_t id      = QUICIntUtil::read_QUICVariableInt(buf + len, buf_len - 
len);
-    len             += id_len;
+    size_t id_len = QUICVariableInt::size(buf + len);
+    if ((len + id_len) >=
+        buf_len) { // if the id is larger than the buffer or at the boundary 
of the buffer (i.e. no value), it is invalid
+      this->_error_code   = Http3ErrorCode::H3_SETTINGS_ERROR;
+      this->_error_reason = reinterpret_cast<const char *>("invalid SETTINGS 
frame");
+      break;
+    }
+    uint16_t id  = QUICIntUtil::read_QUICVariableInt(buf + len, buf_len - len);
+    len         += id_len;
 
-    size_t   value_len  = QUICVariableInt::size(buf + len);
-    uint64_t value      = QUICIntUtil::read_QUICVariableInt(buf + len, buf_len 
- len);
-    len                += value_len;
+    size_t value_len = QUICVariableInt::size(buf + len);
+    if ((len + value_len) > buf_len) {
+      this->_error_code   = Http3ErrorCode::H3_SETTINGS_ERROR;
+      this->_error_reason = reinterpret_cast<const char *>("invalid SETTINGS 
frame");
+      break;
+    }
+    uint64_t value  = QUICIntUtil::read_QUICVariableInt(buf + len, buf_len - 
len);
+    len            += value_len;
 
     // Ignore any SETTINGS identifier it does not understand.
     bool ignore = true;