dxbjavid opened a new pull request, #13361:
URL: https://github.com/apache/trafficserver/pull/13361

   The QPACK header decoder takes a header block off an HTTP/3 request stream 
and walks it field by field. In _decode_header the remaining-length counter is 
set once to the full block size and then never reduced as the cursor moves 
forward, so every per-field decoder is handed a buffer end of pos plus the 
whole block length rather than pos plus what is actually left. After the first 
field is consumed that end sits past the real end of the buffer, by however 
many bytes have already been read. A client can lean on this by sending a block 
whose later field declares a string length that reaches beyond the true end but 
still fits inside the inflated bound, which slips past the length check and 
makes the following copy read off the end of the allocation. I noticed it while 
tracing why the end pointer handed to the sub-decoders did not match the block 
the frame layer had buffered, and an address-sanitiser run on a crafted block 
confirmed the over-read. The fix keeps remain_len in step with 
 the cursor by subtracting each consumed length, so the derived end always 
points at the real end of the block. I kept the change inside _decode_header so 
the sub-decoders and the rest of the path are left alone.


-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: [email protected]

For queries about this service, please contact Infrastructure at:
[email protected]

Reply via email to