mirror of
http://git.haproxy.org/git/haproxy.git
synced 2026-02-22 11:23:15 +02:00
8e16fd2cf1
QUIC frame type is encoded as a varint. Initially, haproxy parsed it as a single byte, which was enough to cover frames defined in RFC9000. The code has been extended recently to support multi-bytes encoded value, in anticipation of QUIC frames extension support. However, there was no check on the varint format. This is interpreted erroneously as a PADDING frame as this serves as the initial value. Thus the rest of the packet is incorrectly handled, with various resulting effects, including infinite loops and/or crashes. This patch fixes this by checking the return value of quic_dec_int(). If varint cannot be parsed, the connection is immediately closed. This issue is assigned to CVE-2026-26080 report. This must be backported up to 3.2. Reported-by: Asim Viladi Oglu Manizada <manizada@pm.me>