From 96ac90e6be43c866209c571ca4973df3259f8633 Mon Sep 17 00:00:00 2001
From: Marten Seemann <martenseemann@gmail.com>
Date: Wed, 8 Apr 2020 14:12:53 +0700
Subject: [PATCH] validate connection ID length in preferred_address transport
 parameter

---
 internal/wire/transport_parameter_test.go | 35 +++++++++++++++++------
 internal/wire/transport_parameters.go     |  3 ++
 2 files changed, 30 insertions(+), 8 deletions(-)

diff --git a/internal/wire/transport_parameter_test.go b/internal/wire/transport_parameter_test.go
index 5f7583c4..56bb8011 100644
--- a/internal/wire/transport_parameter_test.go
+++ b/internal/wire/transport_parameter_test.go
@@ -260,14 +260,18 @@ var _ = Describe("Transport Parameters", func() {
 	})
 
 	Context("preferred address", func() {
-		pa := &PreferredAddress{
-			IPv4:                net.IPv4(127, 0, 0, 1),
-			IPv4Port:            42,
-			IPv6:                net.IP{1, 2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15, 16},
-			IPv6Port:            13,
-			ConnectionID:        protocol.ConnectionID{0xde, 0xad, 0xbe, 0xef},
-			StatelessResetToken: [16]byte{16, 15, 14, 13, 12, 11, 10, 9, 8, 7, 6, 5, 4, 3, 2, 1},
-		}
+		var pa *PreferredAddress
+
+		BeforeEach(func() {
+			pa = &PreferredAddress{
+				IPv4:                net.IPv4(127, 0, 0, 1),
+				IPv4Port:            42,
+				IPv6:                net.IP{1, 2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15, 16},
+				IPv6Port:            13,
+				ConnectionID:        protocol.ConnectionID{0xde, 0xad, 0xbe, 0xef},
+				StatelessResetToken: [16]byte{16, 15, 14, 13, 12, 11, 10, 9, 8, 7, 6, 5, 4, 3, 2, 1},
+			}
+		})
 
 		It("marshals and unmarshals", func() {
 			data := (&TransportParameters{PreferredAddress: pa}).Marshal()
@@ -287,6 +291,21 @@ var _ = Describe("Transport Parameters", func() {
 			Expect(p.Unmarshal(data, protocol.PerspectiveClient)).To(MatchError("TRANSPORT_PARAMETER_ERROR: client sent a preferred_address"))
 		})
 
+		It("errors on zero-length connection IDs", func() {
+			pa.ConnectionID = protocol.ConnectionID{}
+			data := (&TransportParameters{PreferredAddress: pa}).Marshal()
+			p := &TransportParameters{}
+			Expect(p.Unmarshal(data, protocol.PerspectiveServer)).To(MatchError("TRANSPORT_PARAMETER_ERROR: invalid connection ID length: 0"))
+		})
+
+		It("errors on too long connection IDs", func() {
+			pa.ConnectionID = protocol.ConnectionID{1, 2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15, 16, 17, 18, 19, 20, 21}
+			Expect(pa.ConnectionID.Len()).To(BeNumerically(">", protocol.MaxConnIDLen))
+			data := (&TransportParameters{PreferredAddress: pa}).Marshal()
+			p := &TransportParameters{}
+			Expect(p.Unmarshal(data, protocol.PerspectiveServer)).To(MatchError("TRANSPORT_PARAMETER_ERROR: invalid connection ID length: 21"))
+		})
+
 		It("errors on EOF", func() {
 			raw := []byte{
 				127, 0, 0, 1, // IPv4
diff --git a/internal/wire/transport_parameters.go b/internal/wire/transport_parameters.go
index 318347b7..dd51cf34 100644
--- a/internal/wire/transport_parameters.go
+++ b/internal/wire/transport_parameters.go
@@ -214,6 +214,9 @@ func (p *TransportParameters) readPreferredAddress(r *bytes.Reader, expectedLen
 	if err != nil {
 		return err
 	}
+	if connIDLen == 0 || connIDLen > protocol.MaxConnIDLen {
+		return fmt.Errorf("invalid connection ID length: %d", connIDLen)
+	}
 	connID, err := protocol.ReadConnectionID(r, int(connIDLen))
 	if err != nil {
 		return err