From f10832d110f5e5bf675803a75b6fc92abb16e75b Mon Sep 17 00:00:00 2001 From: Arne Welzel Date: Wed, 11 Dec 2024 12:51:23 +0100 Subject: [PATCH] QUIC/decrypt_crypto: Limit payload_length to 10k Given we dynamically allocate memory for decryption, employ a limit that is unlikely to be hit, but allows for large payloads produced by the fuzzer or jumbo frames. --- src/analyzer/protocol/quic/decrypt_crypto.cc | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/src/analyzer/protocol/quic/decrypt_crypto.cc b/src/analyzer/protocol/quic/decrypt_crypto.cc index 693f77fdcc..efe83c5343 100644 --- a/src/analyzer/protocol/quic/decrypt_crypto.cc +++ b/src/analyzer/protocol/quic/decrypt_crypto.cc @@ -158,6 +158,11 @@ hilti::rt::Bytes decrypt(const std::vector& client_key, const hilti::rt throw hilti::rt::RuntimeError(hilti::rt::fmt("payload too small %ld < %ld", payload_length, decryptInfo.packet_number_length + AEAD_TAG_LENGTH)); + // Bail on large payloads, somewhat arbitrarily. 10k allows for Jumbo frames + // and sometimes the fuzzer produces packets up to that size as well. + if ( payload_length > 10000 ) + throw hilti::rt::RuntimeError(hilti::rt::fmt("payload_length too large %ld", payload_length)); + const uint8_t* encrypted_payload = data_as_uint8(all_data) + decryptInfo.unprotected_header.size(); int encrypted_payload_size = payload_length - decryptInfo.packet_number_length - AEAD_TAG_LENGTH;