Fix gfe_quic_fuzzer.
This change has two fixes. One is a mem leak in the fuzzer. The other one is a buffer overrun in QuicFramer::EncryptPayload, when the packet's length is smaller than the associated data length.
PiperOrigin-RevId: 314789978
Change-Id: Id6aab9572a19d7031403254f39d1677971692447
diff --git a/quic/core/quic_framer.cc b/quic/core/quic_framer.cc
index e2139cf..1cba589 100644
--- a/quic/core/quic_framer.cc
+++ b/quic/core/quic_framer.cc
@@ -4443,6 +4443,14 @@
// Copy in the header, because the encrypter only populates the encrypted
// plaintext content.
const size_t ad_len = associated_data.length();
+ if (packet.length() < ad_len) {
+ QUIC_BUG << ENDPOINT
+ << "packet is shorter than associated data length. version:"
+ << version() << ", packet length:" << packet.length()
+ << ", associated data length:" << ad_len;
+ RaiseError(QUIC_ENCRYPTION_FAILURE);
+ return 0;
+ }
memmove(buffer, associated_data.data(), ad_len);
// Encrypt the plaintext into the buffer.
size_t output_length = 0;
@@ -4799,7 +4807,9 @@
type_byte = IETF_CONNECTION_CLOSE;
break;
default:
- set_detailed_error("Invalid QuicConnectionCloseFrame type.");
+ set_detailed_error(quiche::QuicheStrCat(
+ "Invalid QuicConnectionCloseFrame type: ",
+ static_cast<int>(frame.connection_close_frame->close_type)));
return RaiseError(QUIC_INTERNAL_ERROR);
}
break;
