Is ngx_quic_select_socket_by_dcid good when len < 20 ?

Vladimir Homutov vl at nginx.com
Tue Mar 9 20:24:10 UTC 2021


09.03.2021 10:13, Gao,Yan(ACG VCP) пишет:
> ngx_quic_select_socket_by_dcid
> 
>      advance_data(sizeof(struct udphdr)); /* skip UDP header */
> 
>      advance_data(1); /* QUIC flags */
> 
>      if (data[0] & NGX_QUIC_PKT_LONG) {
> 
>          advance_data(4); /* skip QUIC version */
> 
>          len = data[0];   /* read DCID length */
> 
>          if (len < 8) {
> 
>              /* it's useless to search for key in such short DCID */
> 
>              return SK_PASS;
> 
>          }
> 
>          advance_data(1); /* skip DCID len */
> 
>      } else {
> 
>          len = NGX_QUIC_SERVER_CID_LEN;
> 
>      }
> 
> dcid = &data[1];
> 
> advance_data(len); /* we expect the packet to have full DCID */
> 
> len = data[0];   /* read DCID length */
> 
> advance_data(1); /* skip DCID len */
> 
> dcid = &data[1];
> 
> len = data[0] and dcid = &data[1] should both move after advance_data(1) 
>   or before advance_data(1)
> 
> is ngx_quic_parse_uint64(dcid) good when len < 20 ?
> 
we always check that we have enough bytes to read before actually
accessing data. Even more, this is enforced by BPF verifier,
so the code won't compile without proper check.

We have no idea if the packet contains garbage or proper quic header.
we just extract key (if there is enough bytes) and then
try to find a match in a map.



More information about the nginx-devel mailing list