]> git.kaiwu.me - nginx.git/commitdiff
QUIC: avoid assigning unvalidated address to new streams
authorRoman Arutyunyan <arut@nginx.com>
Thu, 30 Apr 2026 13:15:53 +0000 (17:15 +0400)
committerSergey Kandaurov <s.kandaurov@f5.com>
Wed, 13 May 2026 17:19:47 +0000 (21:19 +0400)
Previously, when a client migrated to a new address, new QUIC streams
received this address before validation.  This allowed an attacker to
create QUIC streams with a spoofed address.

Reported by Rodrigo Laneth.

src/event/quic/ngx_event_quic_migration.c

index 42354ca669755626bc1a6fb1cac2ddd40f531662..bbb105142fc02c631e52a27fd6652b1bd4788a8d 100644 (file)
@@ -194,6 +194,8 @@ valid:
 
     path->validated = 1;
 
+    ngx_quic_set_connection_path(c, path);
+
     if (path->mtu_unvalidated) {
         path->mtu_unvalidated = 0;
         return ngx_quic_validate_path(c, path);
@@ -511,9 +513,10 @@ ngx_quic_handle_migration(ngx_connection_t *c, ngx_quic_header_t *pkt)
     qc->path = next;
     qc->path->tag = NGX_QUIC_PATH_ACTIVE;
 
-    ngx_quic_set_connection_path(c, next);
+    if (next->validated) {
+        ngx_quic_set_connection_path(c, next);
 
-    if (!next->validated && next->state != NGX_QUIC_PATH_VALIDATING) {
+    } else if (next->state != NGX_QUIC_PATH_VALIDATING) {
         if (ngx_quic_validate_path(c, next) != NGX_OK) {
             return NGX_ERROR;
         }
@@ -807,8 +810,6 @@ ngx_quic_expire_path_validation(ngx_connection_t *c, ngx_quic_path_t *path)
         qc->path = bkp;
         qc->path->tag = NGX_QUIC_PATH_ACTIVE;
 
-        ngx_quic_set_connection_path(c, qc->path);
-
         ngx_log_error(NGX_LOG_INFO, c->log, 0,
                       "quic path seq:%uL addr:%V is restored from backup",
                       qc->path->seqnum, &qc->path->addr_text);