BUG/MINOR: quic: Missing Initial packet length check

Any client Initial packet carried in a datagram smaller than QUIC_INITIAL_PACKET_MINLEN(200) bytes must be discarded. This does not mean we must discard the entire datagram. So we must at least try to parse the packet length before dropping the packet and return its length from qc_lstnr_pkt_rcv().
2025-09-24 23:31:40 +02:00 · 2022-04-27 11:42:08 +02:00 · 2022-04-27 11:42:08 +02:00 · 87373e7269
commit 87373e7269
parent 77cb38d22d
1 changed files with 10 additions and 0 deletions
--- a/src/xprt_quic.c
+++ b/src/xprt_quic.c
@ -5025,12 +5025,19 @@ static ssize_t qc_lstnr_pkt_rcv(unsigned char *buf, const unsigned char *end,
 	qc_parse_hd_form(pkt, *buf++, &long_header);
 	if (long_header) {
 		uint64_t len;
+		int drop_no_con = 0;

 		if (!quic_packet_read_long_header(&buf, end, pkt)) {
 			TRACE_PROTO("Packet dropped", QUIC_EV_CONN_LPKT);
 			goto err;
 		}

+		if (pkt->type == QUIC_PACKET_TYPE_INITIAL &&
+		    dgram->len < QUIC_INITIAL_PACKET_MINLEN) {
+			TRACE_PROTO("Too short datagram with an Initial packet", QUIC_EV_CONN_LPKT, qc);
+			drop_no_con = 1;
+		}
+
 		/* When multiple QUIC packets are coalesced on the same UDP datagram,
 		 * they must have the same DCID.
 		 */
@ -5108,6 +5115,8 @@ static ssize_t qc_lstnr_pkt_rcv(unsigned char *buf, const unsigned char *end,

 		payload = buf;
 		pkt->len = len + payload - beg;
+		if (drop_no_con)
+			goto drop_no_con;

 		qc = retrieve_qc_conn_from_cid(pkt, l, &dgram->saddr);
 		if (!qc) {
@ -5322,6 +5331,7 @@ static ssize_t qc_lstnr_pkt_rcv(unsigned char *buf, const unsigned char *end,
 	if (conn_ctx)
 		tasklet_wakeup(conn_ctx->wait_event.tasklet);

+ drop_no_con:
 	TRACE_LEAVE(QUIC_EV_CONN_LPKT, qc ? qc : NULL, pkt);

 	return pkt->len;