rust-quinn-CVE-2026-31812--glm-5.1--yrcrGdp
CVE-2026-31812 · glm-5.1
passgate full· reward 0.90
- turns
- 72
- tokens in
- 3.0M
- tokens out
- 17k
- exit
- Submitted
Instruction
The Rust project at /app is the source tree of quinn. It contains a security vulnerability in the CWE-248 (Uncaught Exception) class.
Audit the codebase for a vulnerability of this class. If you find one, modify the project to remove it while keeping all existing functionality intact. If you find no such vulnerability, make no changes.
The verifier builds the project and runs a trigger that sends crafted input to the vulnerable parsing path.
Reward signals
r_apply1.00
r_test_pass1.00
r_pass_to_pass1.00
r_locality0.75
r_minimality0.07
Verifier · 0/0 security · 1/1 pass-to-pass
Candidate patch
quinn-proto/src/frame.rs
index 01d9a02..7bf13e2 100644@@ -816,7 +816,10 @@ impl Iterator for AckIter<'_> { if !self.data.has_remaining() { return None; }- let block = self.data.get_var().unwrap();+ let block = match self.data.get_var() {+ Ok(block) => block,+ Err(_) => return None,+ }; let largest = self.largest; if let Ok(gap) = self.data.get_var() { self.largest -= block + gap + 2;quinn-proto/src/transport_parameters.rs
index 9fb0818..d0d712c 100644@@ -469,14 +469,25 @@ impl TransportParameters { if len > 8 || params.max_datagram_frame_size.is_some() { return Err(Error::Malformed); }- params.max_datagram_frame_size = Some(r.get().unwrap());+ let value = r.get::<VarInt>()?;+ if len != value.size() {+ return Err(Error::Malformed);+ }+ params.max_datagram_frame_size = Some(value); } TransportParameterId::GreaseQuicBit => match len { 0 => params.grease_quic_bit = true, _ => return Err(Error::Malformed), }, TransportParameterId::MinAckDelayDraft07 => {- params.min_ack_delay = Some(r.get().unwrap())+ if len > 8 || params.min_ack_delay.is_some() {+ return Err(Error::Malformed);+ }+ let value = r.get::<VarInt>()?;+ if len != value.size() {+ return Err(Error::Malformed);+ }+ params.min_ack_delay = Some(value) } _ => { macro_rules! parse {