nginx.git/src/event, branch release-1.26.3 nginx QUIC: added missing casts in iov_base assignments. 2025-02-05T16:40:47+00:00 Aleksei Bavshin a.bavshin@nginx.com 2025-01-27T18:33:25+00:00 2e42c1e29e447c6716802bf62a7a40a390444e6b This is consistent with the rest of the code and fixes build on systems with non-standard definition of struct iovec (Solaris, Illumos). 
This is consistent with the rest of the code and fixes build on systems
with non-standard definition of struct iovec (Solaris, Illumos).
QUIC: prevented BIO leak in case of error. 2025-02-05T16:40:47+00:00 Roman Arutyunyan arut@nginx.com 2024-11-22T07:38:06+00:00 977824010f0bb8e2b54963fd4532a6167e6a0ada 






QUIC: fixed accessing a released stream.
2025-02-05T16:40:47+00:00

Roman Arutyunyan
arut@nginx.com

2024-12-10T14:19:27+00:00

5c8a92f1f0e482028504e5340f0ba455423df336

While trying to close a stream in ngx_quic_close_streams() by calling its
read event handler, the next stream saved prior to that could be destroyed
recursively.  This caused a segfault while trying to access the next stream.

The way the next stream could be destroyed in HTTP/3 is the following.
A request stream read event handler ngx_http_request_handler() could
end up calling ngx_http_v3_send_cancel_stream() to report a cancelled
request stream in the decoder stream.  If sending stream cancellation
decoder instruction fails for any reason, and the decoder stream is the
next in order after the request stream, the issue is triggered.

The fix is to postpone calling read event handlers for all streams being
closed to avoid closing a released stream.





While trying to close a stream in ngx_quic_close_streams() by calling its
read event handler, the next stream saved prior to that could be destroyed
recursively.  This caused a segfault while trying to access the next stream.

The way the next stream could be destroyed in HTTP/3 is the following.
A request stream read event handler ngx_http_request_handler() could
end up calling ngx_http_v3_send_cancel_stream() to report a cancelled
request stream in the decoder stream.  If sending stream cancellation
decoder instruction fails for any reason, and the decoder stream is the
next in order after the request stream, the issue is triggered.

The fix is to postpone calling read event handlers for all streams being
closed to avoid closing a released stream.







QUIC: ignore version negotiation packets.
2025-02-05T16:40:47+00:00

Roman Arutyunyan
arut@nginx.com

2024-12-13T09:25:26+00:00

0d11f2885eab99924dbe40d7effb91c80b00d9bf

Previously, such packets were treated as long header packets with unknown
version 0, and a version negotiation packet was sent in response.  This
could be used to set up an infinite traffic reflect loop with another nginx
instance.

Now version negotiation packets are ignored.  As per RFC 9000, Section 6.1:

  An endpoint MUST NOT send a Version Negotiation packet in response to
  receiving a Version Negotiation packet.





Previously, such packets were treated as long header packets with unknown
version 0, and a version negotiation packet was sent in response.  This
could be used to set up an infinite traffic reflect loop with another nginx
instance.

Now version negotiation packets are ignored.  As per RFC 9000, Section 6.1:

  An endpoint MUST NOT send a Version Negotiation packet in response to
  receiving a Version Negotiation packet.







QUIC: ngx_quic_buffer_t use-after-free protection.
2024-05-28T13:19:21+00:00

Roman Arutyunyan
arut@nginx.com

2024-05-28T13:19:21+00:00

0e7702e06655e3b439be8fbcd57bc91539912c2f

Previously the last chain field of ngx_quic_buffer_t could still reference freed
chains and buffers after calling ngx_quic_free_buffer().  While normally an
ngx_quic_buffer_t object should not be used after freeing, resetting last_chain
field would prevent a potential use-after-free.





Previously the last chain field of ngx_quic_buffer_t could still reference freed
chains and buffers after calling ngx_quic_free_buffer().  While normally an
ngx_quic_buffer_t object should not be used after freeing, resetting last_chain
field would prevent a potential use-after-free.







QUIC: ignore CRYPTO frames after handshake completion.
2024-05-28T13:19:08+00:00

Roman Arutyunyan
arut@nginx.com

2024-05-28T13:19:08+00:00

376f12e40adc83859a4ddea21d27d7c053ce02f8

Sending handshake-level CRYPTO frames after the client's Finished message could
lead to memory disclosure and a potential segfault, if those frames are sent in
one packet with the Finished frame.





Sending handshake-level CRYPTO frames after the client's Finished message could
lead to memory disclosure and a potential segfault, if those frames are sent in
one packet with the Finished frame.







QUIC: client transport parameter data length checking.
2024-05-28T13:17:19+00:00

Sergey Kandaurov
pluknet@nginx.com

2024-05-28T13:17:19+00:00

eaa6daa5f5d79c0e34aa1a08faef3c574e46d613












QUIC: fixed close timer processing with early data.
2024-04-10T06:38:10+00:00

Vladimir Khomutov
vl@wbsrv.ru

2024-04-10T06:38:10+00:00

92f99685717e857de9ffa96993601a90803eb0d8

The ngx_quic_run() function uses qc->close timer to limit the handshake
duration.  Normally it is removed by ngx_quic_do_init_streams() which is
called once when we are done with initial SSL processing.

The problem happens when the client sends early data and streams are
initialized in the ngx_quic_run() -> ngx_quic_handle_datagram() call.
The order of set/remove timer calls is now reversed; the close timer is
set up and the timer fires when assigned, starting the unexpected connection
close process.

The fix is to skip setting the timer if streams were initialized during
handling of the initial datagram.  The idle timer for quic is set anyway,
and stream-related timeouts are managed by application layer.





The ngx_quic_run() function uses qc->close timer to limit the handshake
duration.  Normally it is removed by ngx_quic_do_init_streams() which is
called once when we are done with initial SSL processing.

The problem happens when the client sends early data and streams are
initialized in the ngx_quic_run() -> ngx_quic_handle_datagram() call.
The order of set/remove timer calls is now reversed; the close timer is
set up and the timer fires when assigned, starting the unexpected connection
close process.

The fix is to skip setting the timer if streams were initialized during
handling of the initial datagram.  The idle timer for quic is set anyway,
and stream-related timeouts are managed by application layer.







QUIC: fixed stream cleanup (ticket #2586).
2024-02-14T11:55:37+00:00

Roman Arutyunyan
arut@nginx.com

2024-02-14T11:55:37+00:00

5818f8a6693b3c0d95021f2ee58b69dcf848911c

Stream connection cleanup handler ngx_quic_stream_cleanup_handler() calls
ngx_quic_shutdown_stream() after which it resets the pointer from quic stream
to the connection (sc->connection = NULL).  Previously if this call failed,
sc->connection retained the old value, while the connection was freed by the
application code.  This resulted later in a second attempt to close the freed
connection, which lead to allocator double free error.

The fix is to reset the sc->connection pointer in case of error.





Stream connection cleanup handler ngx_quic_stream_cleanup_handler() calls
ngx_quic_shutdown_stream() after which it resets the pointer from quic stream
to the connection (sc->connection = NULL).  Previously if this call failed,
sc->connection retained the old value, while the connection was freed by the
application code.  This resulted later in a second attempt to close the freed
connection, which lead to allocator double free error.

The fix is to reset the sc->connection pointer in case of error.







QUIC: trial packet decryption in response to invalid key update.
2024-02-14T11:55:34+00:00

Sergey Kandaurov
pluknet@nginx.com

2024-02-14T11:55:34+00:00

5902baf680609f884a1e11ff2b82a0bffb3724cc

Inspired by RFC 9001, Section 6.3, trial packet decryption with the current
keys is now used to avoid a timing side-channel signal.  Further, this fixes
segfault while accessing missing next keys (ticket #2585).





Inspired by RFC 9001, Section 6.3, trial packet decryption with the current
keys is now used to avoid a timing side-channel signal.  Further, this fixes
segfault while accessing missing next keys (ticket #2585).