From: Vladimir Homutov Date: Thu, 20 Jan 2022 19:00:25 +0000 (+0300) Subject: QUIC: additional limit for probing packets. X-Git-Tag: release-1.25.0~4^2~137 X-Git-Url: http://git.kaiwu.me/postgresql/log/contrib/postgres_fdw/postgres_fdw.c?a=commitdiff_plain;h=a816af6e1be93ad026b179f8c35c720b891b1e65;p=nginx.git QUIC: additional limit for probing packets. RFC 9000, 9.3. Responding to Connection Migration: An endpoint only changes the address to which it sends packets in response to the highest-numbered non-probing packet. The patch extends this requirement to probing packets. Although it may seem excessive, it helps with mitigation of reply attacks (when an off-path attacker has copied packet with PATH_CHALLENGE and uses different addresses to exhaust available connection ids). --- diff --git a/src/event/quic/ngx_event_quic_migration.c b/src/event/quic/ngx_event_quic_migration.c index e66a402c8..d1a5cf7a0 100644 --- a/src/event/quic/ngx_event_quic_migration.c +++ b/src/event/quic/ngx_event_quic_migration.c @@ -255,6 +255,7 @@ ngx_quic_set_path(ngx_connection_t *c, ngx_quic_header_t *pkt) ngx_queue_t *q; ngx_quic_path_t *path, *probe; ngx_quic_socket_t *qsock; + ngx_quic_send_ctx_t *ctx; ngx_quic_client_id_t *cid; ngx_quic_connection_t *qc; @@ -291,6 +292,16 @@ ngx_quic_set_path(ngx_connection_t *c, ngx_quic_header_t *pkt) /* packet from new path, drop current probe, if any */ + ctx = ngx_quic_get_send_ctx(qc, pkt->level); + + /* + * only accept highest-numbered packets to prevent connection id + * exhaustion by excessive probing packets from unknown paths + */ + if (pkt->pn != ctx->largest_pn) { + return NGX_DONE; + } + if (probe && ngx_quic_free_path(c, probe) != NGX_OK) { return NGX_ERROR; }