From 977a00685da005640693b9e41f42b5454bb12395 Mon Sep 17 00:00:00 2001
From: Vladimir Homutov <vl@nginx.com>
Date: Mon, 19 Apr 2021 09:46:37 +0300
Subject: [PATCH] QUIC: added missing checks for limits in stream frames
 parsing.

---
 src/event/quic/ngx_event_quic_transport.c | 8 ++++++++
 1 file changed, 8 insertions(+)

diff --git a/src/event/quic/ngx_event_quic_transport.c b/src/event/quic/ngx_event_quic_transport.c
index ad4758c60..0d84546eb 100644
--- a/src/event/quic/ngx_event_quic_transport.c
+++ b/src/event/quic/ngx_event_quic_transport.c
@@ -1003,6 +1003,10 @@ ngx_quic_parse_frame(ngx_quic_header_t *pkt, u_char *start, u_char *end,
             goto error;
         }
 
+        if (f->u.streams_blocked.limit > 0x1000000000000000) {
+            goto error;
+        }
+
         f->u.streams_blocked.bidi =
                               (f->type == NGX_QUIC_FT_STREAMS_BLOCKED) ? 1 : 0;
         break;
@@ -1015,6 +1019,10 @@ ngx_quic_parse_frame(ngx_quic_header_t *pkt, u_char *start, u_char *end,
             goto error;
         }
 
+        if (f->u.max_streams.limit > 0x1000000000000000) {
+            goto error;
+        }
+
         f->u.max_streams.bidi = (f->type == NGX_QUIC_FT_MAX_STREAMS) ? 1 : 0;
 
         break;