1 files changed, 10 insertions, 2 deletions

diff --git a/src/gquic_process.cpp b/src/gquic_process.cpp
index 79b8efe..e1e5002 100644
--- a/src/gquic_process.cpp
+++ b/src/gquic_process.cpp
@@ -1,7 +1,7 @@
 /*
  * quic_process.c
  *
- *  Created on: 2019��4��2��
+ *  Created on: 2019��4��2��
  *      Author: root
  */
 
@@ -1134,12 +1134,20 @@ int parse_encrypt_parameter(struct _quic_stream *quic_stream, unsigned char *pay
 			case	EXT_QUIC_PARAM_USER_AGENT: // 2021-10-20 deprecated
 					quic_stream->ua_idx=quic_stream->ext_tag_num++;
 					length=get_value(payload, &used_len, 1); // length=1
+					if(length+used_len>payload_len)
+					{
+						return 0;
+					}
 					get_quic_tlv((char *)payload+used_len, &(quic_stream->ext_tags[quic_stream->ua_idx]), length, EXT_QUIC_PARAM_USER_AGENT, thread_seq);
 					used_len+=length;
 					break;
 			case	EXT_QUIC_PARAM_QUIC_VERSION:
 					quic_stream->ver_idx=quic_stream->ext_tag_num++;
 					length=get_value(payload, &used_len, 1); // length=1
+					if(length+used_len>payload_len)
+					{
+						return 0;
+					}
 					get_quic_tlv((char *)payload+used_len, &(quic_stream->ext_tags[quic_stream->ver_idx]), length, EXT_QUIC_PARAM_QUIC_VERSION, thread_seq);
 					*(unsigned int *)quic_stream->ext_tags[quic_stream->ver_idx].value=(unsigned int)htonl(*(unsigned int *)quic_stream->ext_tags[quic_stream->ver_idx].value);
 					used_len+=length;
@@ -1448,7 +1456,7 @@ int quic_process(struct streaminfo *pstream, struct _quic_context* _context, int
 				{
 					_context->is_decrypt=1;
 					ret=dissect_quic((char *)udp_detail->pdata, udp_detail->datalen, decrypt_payload, &decrypt_payload_len);
-					if(ret!=1 || decrypt_payload_len>2048 || decrypt_payload_len<0)
+					if(ret!=1 || decrypt_payload_len>2048 || decrypt_payload_len<=0)
 					{
 						return APP_STATE_GIVEME;
 					}