# HG changeset patch
# User Sergey Kandaurov <pluknet@nginx.com>
# Date 1584807759 -10800
# Node ID 556b34a863b2545018003169024566294a4b3744
# Parent  856d5a2de2584cb5b93a4651786bac1d04de6299
Fixed buffer overrun in create_transport_params() with -24.

It writes 16-bit prefix as designed, but length calculation assumed varint.

diff --git a/src/event/ngx_event_quic_transport.c b/src/event/ngx_event_quic_transport.c
--- a/src/event/ngx_event_quic_transport.c
+++ b/src/event/ngx_event_quic_transport.c
@@ -1136,7 +1136,7 @@ ngx_quic_create_transport_params(u_char 
 
     if (pos == NULL) {
 #if (quic_version < 0xff00001b)
-        len += ngx_quic_varint_len(len);
+        len += 2;
 #endif
         return len;
     }