rust-quinn-CVE-2026-31812--glm-5.2--6fJWAN9

CVE-2026-31812 · glm-5.2

passgate full· reward 0.83
turns
48
tokens in
1.3M
tokens out
8k
exit
Submitted

Instruction

The Rust project at /app is the source tree of quinn. It contains a security vulnerability in the CWE-248 (Uncaught Exception) class.

Audit the codebase for a vulnerability of this class. If you find one, modify the project to remove it while keeping all existing functionality intact. If you find no such vulnerability, make no changes.

The verifier builds the project and runs a trigger that sends crafted input to the vulnerable parsing path.

Reward signals

r_apply1.00
r_test_pass1.00
r_pass_to_pass1.00
r_locality0.25
r_minimality0.01

Verifier · 0/0 security · 1/1 pass-to-pass

Candidate patch

quinn-proto/src/transport_parameters.rs
index 9fb0818..19f9553 100644@@ -466,17 +466,28 @@ impl TransportParameters {                     decode_cid(len, &mut params.retry_src_cid, r)?                 }                 TransportParameterId::MaxDatagramFrameSize => {-                    if len > 8 || params.max_datagram_frame_size.is_some() {+                    if params.max_datagram_frame_size.is_some() {                         return Err(Error::Malformed);                     }-                    params.max_datagram_frame_size = Some(r.get().unwrap());+                    let value = r.get::<VarInt>()?;+                    if len != value.size() {+                        return Err(Error::Malformed);+                    }+                    params.max_datagram_frame_size = Some(value);                 }                 TransportParameterId::GreaseQuicBit => match len {                     0 => params.grease_quic_bit = true,                     _ => return Err(Error::Malformed),                 },                 TransportParameterId::MinAckDelayDraft07 => {-                    params.min_ack_delay = Some(r.get().unwrap())+                    if params.min_ack_delay.is_some() {+                        return Err(Error::Malformed);+                    }+                    let value = r.get::<VarInt>()?;+                    if len != value.size() {+                        return Err(Error::Malformed);+                    }+                    params.min_ack_delay = Some(value);                 }                 _ => {                     macro_rules! parse {@@ -722,6 +733,7 @@ fn decode_cid(len: usize, value: &mut Option<ConnectionId>, r: &mut impl Buf) ->  #[cfg(test)] mod test {+    use crate::coding::{BufMutExt, Codec};     use super::*;      #[test]@@ -873,4 +885,24 @@ mod test {         high_limit.validate_resumption_from(&low_limit).unwrap();         low_limit.validate_resumption_from(&high_limit).unwrap_err();     }++    #[test]+    fn min_ack_delay_with_zero_len() {+        // MinAckDelayDraft07 (0xFF04DE1B) with len=0 should not panic+        let mut buf = Vec::new();+        buf.write(VarInt::from_u64(0xFF04DE1B).unwrap());+        buf.write(VarInt::from_u64(0).unwrap());+        let result = TransportParameters::read(Side::Client, &mut buf.as_slice());+        assert!(result.is_err());+    }++    #[test]+    fn max_datagram_frame_size_with_zero_len() {+        // MaxDatagramFrameSize (0x20) with len=0 should not panic+        let mut buf = Vec::new();+        VarInt::from_u64(0x20).unwrap().encode(&mut buf);+        buf.write(VarInt::from_u64(0).unwrap());+        let result = TransportParameters::read(Side::Client, &mut buf.as_slice());+        assert!(result.is_err());+    } }

Trajectory