From 79e49c2a162dd777ff0ab16954d5ee7c58da56e8 Mon Sep 17 00:00:00 2001
From: Sergey Kandaurov <pluknet@nginx.com>
Date: Sat, 21 Mar 2020 19:22:39 +0300
Subject: Fixed buffer overrun in create_transport_params() with -24.

It writes 16-bit prefix as designed, but length calculation assumed varint.
---
 src/event/ngx_event_quic_transport.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

(limited to 'src')

diff --git a/src/event/ngx_event_quic_transport.c b/src/event/ngx_event_quic_transport.c
index 577ad7d45..826af2bdd 100644
--- a/src/event/ngx_event_quic_transport.c
+++ b/src/event/ngx_event_quic_transport.c
@@ -1136,7 +1136,7 @@ ngx_quic_create_transport_params(u_char *pos, u_char *end, ngx_quic_tp_t *tp)
 
     if (pos == NULL) {
 #if (quic_version < 0xff00001b)
-        len += ngx_quic_varint_len(len);
+        len += 2;
 #endif
         return len;
     }
-- 
cgit