]> git.kaiwu.me - nginx.git/commitdiff
QUIC: do not update largest packet number from a bad packet.
authorRoman Arutyunyan <arut@nginx.com>
Tue, 1 Sep 2020 12:21:49 +0000 (15:21 +0300)
committerRoman Arutyunyan <arut@nginx.com>
Tue, 1 Sep 2020 12:21:49 +0000 (15:21 +0300)
The removal of QUIC packet protection depends on the largest packet number
received.  When a garbage packet was received, the decoder still updated the
largest packet number from that packet.  This could affect removing protection
from subsequent QUIC packets.

src/event/ngx_event_quic_protection.c

index ae6ae27e7a54c13993faf7ee851852fc811d11ed..8e7fcc1e80a2f86f958a64ee9ee4d085b37e6e57 100644 (file)
@@ -998,7 +998,7 @@ ngx_quic_decrypt(ngx_quic_header_t *pkt, ngx_ssl_conn_t *ssl_conn,
 {
     u_char               clearflags, *p, *sample;
     uint8_t              badflags;
-    uint64_t             pn;
+    uint64_t             pn, lpn;
     ngx_int_t            pnl, rc, key_phase;
     ngx_str_t            in, ad;
     ngx_quic_secret_t   *secret;
@@ -1043,8 +1043,10 @@ ngx_quic_decrypt(ngx_quic_header_t *pkt, ngx_ssl_conn_t *ssl_conn,
         }
     }
 
+    lpn = *largest_pn;
+
     pnl = (clearflags & 0x03) + 1;
-    pn = ngx_quic_parse_pn(&p, pnl, &mask[1], largest_pn);
+    pn = ngx_quic_parse_pn(&p, pnl, &mask[1], &lpn);
 
     pkt->pn = pn;
     pkt->flags = clearflags;
@@ -1118,6 +1120,8 @@ ngx_quic_decrypt(ngx_quic_header_t *pkt, ngx_ssl_conn_t *ssl_conn,
         return NGX_ERROR;
     }
 
+    *largest_pn = lpn;
+
     return NGX_OK;
 }