From: Roman Arutyunyan Date: Tue, 1 Sep 2020 12:21:49 +0000 (+0300) Subject: QUIC: do not update largest packet number from a bad packet. X-Git-Url: http://git.kaiwu.me/%7B@url%7D?a=commitdiff_plain;h=208735967547b989c243b70370061ba422c229d7;p=nginx.git QUIC: do not update largest packet number from a bad packet. The removal of QUIC packet protection depends on the largest packet number received. When a garbage packet was received, the decoder still updated the largest packet number from that packet. This could affect removing protection from subsequent QUIC packets. --- diff --git a/src/event/ngx_event_quic_protection.c b/src/event/ngx_event_quic_protection.c index ae6ae27e7..8e7fcc1e8 100644 --- a/src/event/ngx_event_quic_protection.c +++ b/src/event/ngx_event_quic_protection.c @@ -998,7 +998,7 @@ ngx_quic_decrypt(ngx_quic_header_t *pkt, ngx_ssl_conn_t *ssl_conn, { u_char clearflags, *p, *sample; uint8_t badflags; - uint64_t pn; + uint64_t pn, lpn; ngx_int_t pnl, rc, key_phase; ngx_str_t in, ad; ngx_quic_secret_t *secret; @@ -1043,8 +1043,10 @@ ngx_quic_decrypt(ngx_quic_header_t *pkt, ngx_ssl_conn_t *ssl_conn, } } + lpn = *largest_pn; + pnl = (clearflags & 0x03) + 1; - pn = ngx_quic_parse_pn(&p, pnl, &mask[1], largest_pn); + pn = ngx_quic_parse_pn(&p, pnl, &mask[1], &lpn); pkt->pn = pn; pkt->flags = clearflags; @@ -1118,6 +1120,8 @@ ngx_quic_decrypt(ngx_quic_header_t *pkt, ngx_ssl_conn_t *ssl_conn, return NGX_ERROR; } + *largest_pn = lpn; + return NGX_OK; }