]> git.kaiwu.me - nginx.git/commit
QUIC: avoid assigning unvalidated address to new streams
authorRoman Arutyunyan <arut@nginx.com>
Thu, 30 Apr 2026 13:15:53 +0000 (17:15 +0400)
committerSergey Kandaurov <s.kandaurov@f5.com>
Wed, 13 May 2026 17:19:47 +0000 (21:19 +0400)
commitf37ec3e5d4f527e52ed5b25951ad8aa7d1ff6266
treea2cc809e8673762032d5ffc0e5a690a64802fa36
parent71841dcedfdf46048ef5e25413fdf97a66957913
QUIC: avoid assigning unvalidated address to new streams

Previously, when a client migrated to a new address, new QUIC streams
received this address before validation.  This allowed an attacker to
create QUIC streams with a spoofed address.

Reported by Rodrigo Laneth.
src/event/quic/ngx_event_quic_migration.c