RFC 9000, 9.3. Responding to Connection Migration:
An endpoint only changes the address to which it sends packets in
response to the highest-numbered non-probing packet.
The patch extends this requirement to probing packets. Although it may
seem excessive, it helps with mitigation of reply attacks (when an off-path
attacker has copied packet with PATH_CHALLENGE and uses different
addresses to exhaust available connection ids).
ngx_queue_t *q;
ngx_quic_path_t *path, *probe;
ngx_quic_socket_t *qsock;
+ ngx_quic_send_ctx_t *ctx;
ngx_quic_client_id_t *cid;
ngx_quic_connection_t *qc;
/* packet from new path, drop current probe, if any */
+ ctx = ngx_quic_get_send_ctx(qc, pkt->level);
+
+ /*
+ * only accept highest-numbered packets to prevent connection id
+ * exhaustion by excessive probing packets from unknown paths
+ */
+ if (pkt->pn != ctx->largest_pn) {
+ return NGX_DONE;
+ }
+
if (probe && ngx_quic_free_path(c, probe) != NGX_OK) {
return NGX_ERROR;
}