uint64_t *total_ranges)
{
PACKET pkt = *orig_pkt;
- uint64_t ack_range_count;
+ uint64_t ack_range_count, i;
if (!expect_frame_header_mask(&pkt, OSSL_QUIC_FRAME_TYPE_ACK_WITHOUT_ECN,
1, NULL)
|| !PACKET_get_quic_vlint(&pkt, &ack_range_count))
return 0;
+ /*
+ * Ensure the specified number of ack ranges listed in the ACK frame header
+ * actually are available in the frame data. This naturally bounds the
+ * number of ACK ranges which can be requested by the MDPL, and therefore by
+ * the MTU. This ensures we do not allocate memory for an excessive number
+ * of ACK ranges.
+ */
+ for (i = 0; i < ack_range_count; ++i)
+ if (!PACKET_skip_quic_vlint(&pkt)
+ || !PACKET_skip_quic_vlint(&pkt))
+ return 0;
+
/* (cannot overflow because QUIC vlints can only encode up to 2**62-1) */
*total_ranges = ack_range_count + 1;
return 1;