From: Simon Horman <horms@kernel.org>
To: lucien.xin@gmail.com
Cc: Simon Horman <horms@kernel.org>,
steved@redhat.com, marcelo.leitner@gmail.com,
aahringo@redhat.com, alibuda@linux.alibaba.com,
jbaron@akamai.com, hare@suse.de, kuba@kernel.org, tom@talpey.com,
linux-cifs@vger.kernel.org, daniel@haxx.se, quic@lists.linux.dev,
jlayton@kernel.org, tfanelli@redhat.com, dhowells@redhat.com,
linkinjeon@kernel.org, hepengtao@xiaomi.com, pc@manguebit.com,
kernel-tls-handshake@lists.linux.dev, illiliti@protonmail.com,
xiyou.wangcong@gmail.com, andrew.gospodarek@broadcom.com,
mail@johnericson.me, edumazet@google.com, pabeni@redhat.com,
matttbe@kernel.org, netdev@vger.kernel.org, smfrench@gmail.com,
metze@samba.org, mbuhl@openbsd.org, chuck.lever@oracle.com,
dreibh@simula.no, davem@davemloft.net, sd@queasysnail.net
Subject: Re: [net-next,v9,03/15] quic: provide common utilities and data structures
Date: Thu, 5 Feb 2026 11:54:49 +0000 [thread overview]
Message-ID: <20260205115449.2195294-1-horms@kernel.org> (raw)
In-Reply-To: <74174c085fb11b8a63e72a7df730b6f4a7479c5c.1770042461.git.lucien.xin@gmail.com>
This is an AI-generated review of your patch. The human sending this
email has considered the AI review valid, or at least plausible.
For local reproduction steps see https://netdev-ai.bots.linux.dev/ai-local.html
---
quic: provide common utilities and data structures
This patch provides foundational data structures and utilities for
the QUIC stack, including hash tables for socket lookup, connection
ID management, and helpers for encoding/decoding transport parameters.
> diff --git a/net/quic/common.c b/net/quic/common.c
> new file mode 100644
> index 000000000000..94321f3f213d
> --- /dev/null
> +++ b/net/quic/common.c
[ ... ]
> +/* Reads a QUIC transport parameter value. */
> +u8 quic_get_param(u64 *pdest, u8 **pp, u32 *plen)
> +{
> + u64 valuelen;
> +
> + if (!quic_get_var(pp, plen, &valuelen))
> + return 0;
> +
> + if (*plen < valuelen)
> + return 0;
> +
> + if (!quic_get_var(pp, plen, pdest))
> + return 0;
> +
> + return (u8)valuelen;
> +}
Does quic_get_param() need to verify that quic_get_var() consumed exactly
valuelen bytes?
The function reads valuelen at the first quic_get_var() call, then decodes
the value with the second quic_get_var(). However, quic_get_var() determines
how many bytes to consume based on the varint prefix in the data, not from
valuelen.
If a malformed packet has valuelen=2 but the varint encoding requires 4 bytes,
quic_get_var() will consume 4 bytes while the function returns valuelen=2.
This could desynchronize parsing of subsequent parameters since the caller
expects the buffer to have advanced by valuelen bytes based on the return
value.
> diff --git a/net/quic/common.h b/net/quic/common.h
> new file mode 100644
> index 000000000000..bfec0aaf2907
> --- /dev/null
> +++ b/net/quic/common.h
[ ... ]
> +#define QUIC_CONN_ID_MAX_LEN 20
[ ... ]
> +struct quic_conn_id {
> + u8 data[QUIC_CONN_ID_MAX_LEN];
> + u8 len;
> +};
> +
> +static inline void quic_conn_id_update(struct quic_conn_id *conn_id, u8 *data, u32 len)
> +{
> + memcpy(conn_id->data, data, len);
> + conn_id->len = (u8)len;
> +}
Should quic_conn_id_update() validate that len does not exceed
QUIC_CONN_ID_MAX_LEN before the memcpy?
The destination buffer conn_id->data is a 20-byte array, but the len
parameter is u32 with no bounds check. If a caller passes len > 20, the
memcpy would overflow the buffer.
next prev parent reply other threads:[~2026-02-05 11:55 UTC|newest]
Thread overview: 30+ messages / expand[flat|nested] mbox.gz Atom feed top
2026-02-02 14:27 [PATCH net-next v9 00/15] net: introduce QUIC infrastructure and core subcomponents Xin Long
2026-02-02 14:27 ` [PATCH net-next v9 01/15] net: define IPPROTO_QUIC and SOL_QUIC constants Xin Long
2026-02-02 14:27 ` [PATCH net-next v9 02/15] net: build socket infrastructure for QUIC protocol Xin Long
2026-02-05 11:54 ` [net-next,v9,02/15] " Simon Horman
2026-02-05 12:48 ` Paolo Abeni
2026-02-05 19:03 ` Xin Long
2026-02-02 14:27 ` [PATCH net-next v9 03/15] quic: provide common utilities and data structures Xin Long
2026-02-05 11:54 ` Simon Horman [this message]
2026-02-05 12:51 ` [net-next,v9,03/15] " Paolo Abeni
2026-02-05 19:18 ` Xin Long
2026-02-02 14:27 ` [PATCH net-next v9 04/15] quic: provide family ops for address and protocol Xin Long
2026-02-02 14:27 ` [PATCH net-next v9 05/15] quic: provide quic.h header files for kernel and userspace Xin Long
2026-02-05 11:55 ` [net-next,v9,05/15] " Simon Horman
2026-02-05 19:37 ` Xin Long
2026-02-02 14:27 ` [PATCH net-next v9 06/15] quic: add stream management Xin Long
2026-02-05 11:55 ` [net-next,v9,06/15] " Simon Horman
2026-02-05 18:56 ` Xin Long
2026-02-02 14:27 ` [PATCH net-next v9 07/15] quic: add connection id management Xin Long
2026-02-02 14:27 ` [PATCH net-next v9 08/15] quic: add path management Xin Long
2026-02-02 14:27 ` [PATCH net-next v9 09/15] quic: add congestion control Xin Long
2026-02-05 11:55 ` [net-next,v9,09/15] " Simon Horman
2026-02-05 19:00 ` Xin Long
2026-02-02 14:27 ` [PATCH net-next v9 10/15] quic: add packet number space Xin Long
2026-02-02 14:27 ` [PATCH net-next v9 11/15] quic: add crypto key derivation and installation Xin Long
2026-02-02 14:27 ` [PATCH net-next v9 12/15] quic: add crypto packet encryption and decryption Xin Long
2026-02-02 14:27 ` [PATCH net-next v9 13/15] quic: add timer management Xin Long
2026-02-02 14:27 ` [PATCH net-next v9 14/15] quic: add packet builder base Xin Long
2026-02-02 14:27 ` [PATCH net-next v9 15/15] quic: add packet parser base Xin Long
2026-02-05 11:55 ` [net-next,v9,15/15] " Simon Horman
2026-02-05 19:02 ` Xin Long
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20260205115449.2195294-1-horms@kernel.org \
--to=horms@kernel.org \
--cc=aahringo@redhat.com \
--cc=alibuda@linux.alibaba.com \
--cc=andrew.gospodarek@broadcom.com \
--cc=chuck.lever@oracle.com \
--cc=daniel@haxx.se \
--cc=davem@davemloft.net \
--cc=dhowells@redhat.com \
--cc=dreibh@simula.no \
--cc=edumazet@google.com \
--cc=hare@suse.de \
--cc=hepengtao@xiaomi.com \
--cc=illiliti@protonmail.com \
--cc=jbaron@akamai.com \
--cc=jlayton@kernel.org \
--cc=kernel-tls-handshake@lists.linux.dev \
--cc=kuba@kernel.org \
--cc=linkinjeon@kernel.org \
--cc=linux-cifs@vger.kernel.org \
--cc=lucien.xin@gmail.com \
--cc=mail@johnericson.me \
--cc=marcelo.leitner@gmail.com \
--cc=matttbe@kernel.org \
--cc=mbuhl@openbsd.org \
--cc=metze@samba.org \
--cc=netdev@vger.kernel.org \
--cc=pabeni@redhat.com \
--cc=pc@manguebit.com \
--cc=quic@lists.linux.dev \
--cc=sd@queasysnail.net \
--cc=smfrench@gmail.com \
--cc=steved@redhat.com \
--cc=tfanelli@redhat.com \
--cc=tom@talpey.com \
--cc=xiyou.wangcong@gmail.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox