]> git.kaiwu.me - nginx.git/commitdiff
QUIC: check that the packet length is of at least sample size.
authorSergey Kandaurov <pluknet@nginx.com>
Tue, 8 Sep 2020 10:28:56 +0000 (13:28 +0300)
committerSergey Kandaurov <pluknet@nginx.com>
Tue, 8 Sep 2020 10:28:56 +0000 (13:28 +0300)
From quic-tls draft, section 5.4.2:
   An endpoint MUST discard packets that are not long enough to contain
   a complete sample.

The check includes the Packet Number field assumed to be 4 bytes long.

src/event/ngx_event_quic_protection.c

index 261f02d7f9be2d5322ad7b270cbed2715cd115e8..7a4ebdaa79df9e945c1b3c3049bdd4f7e526012d 100644 (file)
@@ -1019,6 +1019,10 @@ ngx_quic_decrypt(ngx_quic_header_t *pkt, ngx_ssl_conn_t *ssl_conn,
      * AES-Based and ChaCha20-Based header protections sample 16 bytes
      */
 
+    if (pkt->len < EVP_GCM_TLS_TAG_LEN + 4) {
+        return NGX_DECLINED;
+    }
+
     sample = p + 4;
 
     /* header protection */