OMPUB-527: 从解密后的client hello负载中解析user agent参数时，未对参数长度负值进行判断导致parse_quic_transport_parameter函数死循环触发sapp的watchdog timeout

2022-06-16 15:39:13 +08:00
parent 98c567cf88
commit ffb443ed7e
2 changed files with 75 additions and 1 deletions
--- a/src/quic_process.cpp
+++ b/src/quic_process.cpp
@@ -376,7 +376,11 @@ int parse_quic_transport_parameter(struct quic_client_hello *client_hello, const
 					para_offset+=copy_extension_tag(quic_para+para_offset, one_para_length, &client_hello->user_agent, thread_seq);
 					return 1;
 			default:
-				one_para_length=quic_para[para_offset++]; // length=1
+				one_para_length=(int)(quic_para[para_offset++]); // length=1
+				if(one_para_length<0 || one_para_length>quic_para_len)
+				{
+					break;
+				}
 				para_offset+=one_para_length;
 				break;
 		}