rust-quinn-CVE-2026-31812--gpt-5.3-codex--WEFsGqZ

CVE-2026-31812 · gpt-5.3-codex

passgate full· reward 0.83
turns
33
tokens in
776k
tokens out
5k
exit
passed

Instruction

The Rust project at /app is the source tree of quinn. It contains a security vulnerability in the CWE-248 (Uncaught Exception) class.

Audit the codebase for a vulnerability of this class. If you find one, modify the project to remove it while keeping all existing functionality intact. If you find no such vulnerability, make no changes.

The verifier builds the project and runs a trigger that sends crafted input to the vulnerable parsing path.

Reward signals

r_apply1.00
r_test_pass1.00
r_pass_to_pass1.00
r_locality0.25
r_minimality0.00

Verifier · 0/0 security · 1/1 pass-to-pass

Candidate patch

quinn-proto/src/transport_parameters.rs
index 9fb0818..085da13 100644@@ -466,17 +466,27 @@ impl TransportParameters {                     decode_cid(len, &mut params.retry_src_cid, r)?                 }                 TransportParameterId::MaxDatagramFrameSize => {-                    if len > 8 || params.max_datagram_frame_size.is_some() {+                    if params.max_datagram_frame_size.is_some() {                         return Err(Error::Malformed);                     }-                    params.max_datagram_frame_size = Some(r.get().unwrap());+                    let mut encoded = r.take(len);+                    let value = encoded.get::<VarInt>().map_err(|_| Error::Malformed)?;+                    if encoded.has_remaining() {+                        return Err(Error::Malformed);+                    }+                    params.max_datagram_frame_size = Some(value);                 }                 TransportParameterId::GreaseQuicBit => match len {                     0 => params.grease_quic_bit = true,                     _ => return Err(Error::Malformed),                 },                 TransportParameterId::MinAckDelayDraft07 => {-                    params.min_ack_delay = Some(r.get().unwrap())+                    let mut encoded = r.take(len);+                    let value = encoded.get::<VarInt>().map_err(|_| Error::Malformed)?;+                    if encoded.has_remaining() {+                        return Err(Error::Malformed);+                    }+                    params.min_ack_delay = Some(value)                 }                 _ => {                     macro_rules! parse {@@ -723,6 +733,7 @@ fn decode_cid(len: usize, value: &mut Option<ConnectionId>, r: &mut impl Buf) -> #[cfg(test)] mod test {     use super::*;+    use crate::coding::BufMutExt;      #[test]     fn coding() {@@ -860,6 +871,25 @@ mod test {         }     } +    #[test]+    fn malformed_varint_transport_parameters() {+        let mut buf = Vec::new();+        buf.write_var(TransportParameterId::MaxDatagramFrameSize as u64);+        buf.write_var(0);+        assert_eq!(+            TransportParameters::read(Side::Server, &mut buf.as_slice()),+            Err(Error::Malformed)+        );++        let mut buf = Vec::new();+        buf.write_var(TransportParameterId::MinAckDelayDraft07 as u64);+        buf.write_var(0);+        assert_eq!(+            TransportParameters::read(Side::Server, &mut buf.as_slice()),+            Err(Error::Malformed)+        );+    }+     #[test]     fn resumption_params_validation() {         let high_limit = TransportParameters {

Trajectory