]> git.kaiwu.me - nginx.git/commitdiff
QUIC: removed check for packet size beyond MAX_UDP_PAYLOAD_SIZE.
authorSergey Kandaurov <pluknet@nginx.com>
Tue, 8 Sep 2020 10:35:50 +0000 (13:35 +0300)
committerSergey Kandaurov <pluknet@nginx.com>
Tue, 8 Sep 2020 10:35:50 +0000 (13:35 +0300)
The check tested the total size of a packet header and unprotected packet
payload, which doesn't include the packet number length and expansion of
the packet protection AEAD.  If the packet was corrupted, it could cause
false triggering of the condition due to unsigned type underflow leading
to a connection error.

Existing checks for the QUIC header and protected packet payload lengths
should be enough.

src/event/ngx_event_quic_protection.c

index 7a4ebdaa79df9e945c1b3c3049bdd4f7e526012d..0d205a1601e0ab0852b09a59c8e1d9b5fd491e30 100644 (file)
@@ -1089,11 +1089,6 @@ ngx_quic_decrypt(ngx_quic_header_t *pkt, ngx_ssl_conn_t *ssl_conn,
 #endif
 
     pkt->payload.len = in.len - EVP_GCM_TLS_TAG_LEN;
-
-    if (NGX_QUIC_MAX_UDP_PAYLOAD_SIZE - ad.len < pkt->payload.len) {
-        return NGX_ERROR;
-    }
-
     pkt->payload.data = pkt->plaintext + ad.len;
 
     rc = ngx_quic_tls_open(ciphers.c, secret, &pkt->payload,