QUIC: rejecting zero-length packets with PROTOCOL_VIOLATION.

Per the latest post draft-32 specification updates on the topic:
https://github.com/quicwg/base-drafts/pull/4391

1 files changed, 15 insertions, 6 deletions

diff --git a/src/event/ngx_event_quic_protection.c b/src/event/ngx_event_quic_protection.c
index 64922b57f..5637fcec5 100644
--- a/src/event/ngx_event_quic_protection.c
+++ b/src/event/ngx_event_quic_protection.c
@@ -1146,16 +1146,20 @@ ngx_quic_decrypt(ngx_quic_header_t *pkt, uint64_t *largest_pn)
 
     rc = ngx_quic_tls_open(ciphers.c, secret, &pkt->payload,
                            nonce, &in, &ad, pkt->log);
-
-#if defined(NGX_QUIC_DEBUG_CRYPTO) && defined(NGX_QUIC_DEBUG_PACKETS)
-    ngx_quic_hexdump(pkt->log, "quic packet payload",
-                     pkt->payload.data, pkt->payload.len);
-#endif
-
     if (rc != NGX_OK) {
         return NGX_DECLINED;
     }
 
+    if (pkt->payload.len == 0) {
+        /*
+         * An endpoint MUST treat receipt of a packet containing no
+         * frames as a connection error of type PROTOCOL_VIOLATION.
+         */
+        ngx_log_error(NGX_LOG_INFO, pkt->log, 0, "quic zero-length packet");
+        pkt->error = NGX_QUIC_ERR_PROTOCOL_VIOLATION;
+        return NGX_ERROR;
+    }
+
     if (pkt->flags & ngx_quic_pkt_rb_mask(pkt->flags)) {
         /*
          * An endpoint MUST treat receipt of a packet that has
@@ -1169,6 +1173,11 @@ ngx_quic_decrypt(ngx_quic_header_t *pkt, uint64_t *largest_pn)
         return NGX_ERROR;
     }
 
+#if defined(NGX_QUIC_DEBUG_CRYPTO) && defined(NGX_QUIC_DEBUG_PACKETS)
+    ngx_quic_hexdump(pkt->log, "quic packet payload",
+                     pkt->payload.data, pkt->payload.len);
+#endif
+
     *largest_pn = lpn;
 
     return NGX_OK;