]> git.kaiwu.me - nginx.git/commit
QUIC: avoid assigning unvalidated address to new streams
authorRoman Arutyunyan <arut@nginx.com>
Thu, 30 Apr 2026 13:15:53 +0000 (17:15 +0400)
committerSergey Kandaurov <s.kandaurov@f5.com>
Wed, 13 May 2026 17:20:55 +0000 (21:20 +0400)
commit5461e8bbc09230a4cf8e3d7737c176ae69b091f1
tree92a0d41ae0fb9143da89df56ac26e560c5afc815
parentd2b8d47741820c9fb134c6731ecb40b21f3085b1
QUIC: avoid assigning unvalidated address to new streams

Previously, when a client migrated to a new address, new QUIC streams
received this address before validation.  This allowed an attacker to
create QUIC streams with a spoofed address.

Reported by Rodrigo Laneth.
src/event/quic/ngx_event_quic_migration.c