[nginx] QUIC: ignore CRYPTO frames after handshake completion.

Sergey Kandaurov pluknet at nginx.com
Wed May 29 14:58:25 UTC 2024


details:   https://hg.nginx.org/nginx/rev/e4e9d7003b31
branches:  stable-1.26
changeset: 9264:e4e9d7003b31
user:      Roman Arutyunyan <arut at nginx.com>
date:      Tue May 28 17:19:08 2024 +0400
description:
QUIC: ignore CRYPTO frames after handshake completion.

Sending handshake-level CRYPTO frames after the client's Finished message could
lead to memory disclosure and a potential segfault, if those frames are sent in
one packet with the Finished frame.

diffstat:

 src/event/quic/ngx_event_quic_ssl.c |  5 +++++
 1 files changed, 5 insertions(+), 0 deletions(-)

diffs (15 lines):

diff -r ed593e26c79a -r e4e9d7003b31 src/event/quic/ngx_event_quic_ssl.c
--- a/src/event/quic/ngx_event_quic_ssl.c	Tue May 28 17:18:50 2024 +0400
+++ b/src/event/quic/ngx_event_quic_ssl.c	Tue May 28 17:19:08 2024 +0400
@@ -326,6 +326,11 @@ ngx_quic_handle_crypto_frame(ngx_connect
     ngx_quic_crypto_frame_t  *f;
 
     qc = ngx_quic_get_connection(c);
+
+    if (!ngx_quic_keys_available(qc->keys, pkt->level, 0)) {
+        return NGX_OK;
+    }
+
     ctx = ngx_quic_get_send_ctx(qc, pkt->level);
     f = &frame->u.crypto;
 


More information about the nginx-devel mailing list