From a1338d429748cc1a15e19e6e1f71b4f1467acca5 Mon Sep 17 00:00:00 2001 From: Tatsuhiro Tsujikawa Date: Mon, 25 Jan 2021 18:39:00 +0900 Subject: ngtcp2: Fix stack buffer overflow Closes #6521 --- lib/vquic/ngtcp2.c | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) diff --git a/lib/vquic/ngtcp2.c b/lib/vquic/ngtcp2.c index e87f8f4ba..f2fce76ff 100644 --- a/lib/vquic/ngtcp2.c +++ b/lib/vquic/ngtcp2.c @@ -1334,13 +1334,14 @@ static ssize_t cb_h3_readfunction(nghttp3_conn *conn, int64_t stream_id, nread = H3_SEND_SIZE - out->windex; memcpy(&out->buf[out->windex], stream->upload_mem, nread); - out->windex += nread; - out->used += nread; /* that's the chunk we return to nghttp3 */ vec[0].base = &out->buf[out->windex]; vec[0].len = nread; + out->windex += nread; + out->used += nread; + if(out->windex == H3_SEND_SIZE) out->windex = 0; /* wrap */ stream->upload_mem += nread; -- cgit v1.2.1