(trafficserver) 05/15: Update Http3Frame.cc - fix Use-of-uninitialized-value error (#11400)

Wed, 05 Jun 2024 11:38:37 -0700 

This is an automated email from the ASF dual-hosted git repository.

cmcfarlen pushed a commit to branch 10.0.x
in repository https://gitbox.apache.org/repos/asf/trafficserver.git

commit 0d3d9b9fdaea0272dd7adf442e5eb3a8499cc428
Author: Kit Chan <[email protected]>
AuthorDate: Tue Jun 4 18:20:06 2024 +0200

    Update Http3Frame.cc - fix Use-of-uninitialized-value error (#11400)
    
    * Update Http3Frame.cc
    
    * Update Http3Frame.cc
    
    * Update Http3Frame.cc
    
    * Update Http3Frame.cc
    
    * Update Http3Frame.cc
    
    * Update Http3Frame.cc
    
    (cherry picked from commit 4d07954652878700269140173a5630ad38c49fa2)
---
 src/proxy/http3/Http3Frame.cc | 23 +++++++++++++++++------
 1 file changed, 17 insertions(+), 6 deletions(-)

diff --git a/src/proxy/http3/Http3Frame.cc b/src/proxy/http3/Http3Frame.cc
index c429919217..96c46f794d 100644
--- a/src/proxy/http3/Http3Frame.cc
+++ b/src/proxy/http3/Http3Frame.cc
@@ -277,13 +277,24 @@ Http3SettingsFrame::Http3SettingsFrame(const uint8_t 
*buf, size_t buf_len, uint3
       break;
     }
 
-    size_t   id_len  = QUICVariableInt::size(buf + len);
-    uint16_t id      = QUICIntUtil::read_QUICVariableInt(buf + len, buf_len - 
len);
-    len             += id_len;
+    size_t id_len = QUICVariableInt::size(buf + len);
+    if ((len + id_len) >=
+        buf_len) { // if the id is larger than the buffer or at the boundary 
of the buffer (i.e. no value), it is invalid
+      this->_error_code   = Http3ErrorCode::H3_SETTINGS_ERROR;
+      this->_error_reason = reinterpret_cast<const char *>("invalid SETTINGS 
frame");
+      break;
+    }
+    uint16_t id  = QUICIntUtil::read_QUICVariableInt(buf + len, buf_len - len);
+    len         += id_len;
 
-    size_t   value_len  = QUICVariableInt::size(buf + len);
-    uint64_t value      = QUICIntUtil::read_QUICVariableInt(buf + len, buf_len 
- len);
-    len                += value_len;
+    size_t value_len = QUICVariableInt::size(buf + len);
+    if ((len + value_len) > buf_len) {
+      this->_error_code   = Http3ErrorCode::H3_SETTINGS_ERROR;
+      this->_error_reason = reinterpret_cast<const char *>("invalid SETTINGS 
frame");
+      break;
+    }
+    uint64_t value  = QUICIntUtil::read_QUICVariableInt(buf + len, buf_len - 
len);
+    len            += value_len;
 
     // Ignore any SETTINGS identifier it does not understand.
     bool ignore = true;

Reply via email to