diff options
| author | Vladimir Homutov <vl@nginx.com> | 2020-05-14 14:49:28 +0300 |
|---|---|---|
| committer | Vladimir Homutov <vl@nginx.com> | 2020-05-14 14:49:28 +0300 |
| commit | 5ccda6882e9f72b9df01fa4b9403376f0899addc (patch) | |
| tree | bb648c463b6f904a0fd90d85e64717bce86fe68a | |
| parent | d4f9bba1110b95cabf964075031583e1816be56b (diff) | |
| download | nginx-5ccda6882e9f72b9df01fa4b9403376f0899addc.tar.gz nginx-5ccda6882e9f72b9df01fa4b9403376f0899addc.tar.bz2 | |
Added tests for connection id lengths in initial packet.
| -rw-r--r-- | src/event/ngx_event_quic.c | 8 | ||||
| -rw-r--r-- | src/event/ngx_event_quic_transport.c | 12 | ||||
| -rw-r--r-- | src/event/ngx_event_quic_transport.h | 5 |
3 files changed, 24 insertions, 1 deletions
diff --git a/src/event/ngx_event_quic.c b/src/event/ngx_event_quic.c index 26e307bbe..2ebb72f24 100644 --- a/src/event/ngx_event_quic.c +++ b/src/event/ngx_event_quic.c @@ -579,6 +579,14 @@ ngx_quic_new_connection(ngx_connection_t *c, ngx_ssl_t *ssl, ngx_quic_tp_t *tp, return NGX_ERROR; } + if (pkt->dcid.len < NGX_QUIC_CID_LEN_MIN) { + /* 7.2. Negotiating Connection IDs */ + ngx_log_error(NGX_LOG_INFO, c->log, 0, + "quic too short dcid in initial packet: length %i", + pkt->dcid.len); + return NGX_ERROR; + } + c->log->action = "creating new quic connection"; qc = ngx_pcalloc(c->pool, sizeof(ngx_quic_connection_t)); diff --git a/src/event/ngx_event_quic_transport.c b/src/event/ngx_event_quic_transport.c index 1732f8b0f..5d0182032 100644 --- a/src/event/ngx_event_quic_transport.c +++ b/src/event/ngx_event_quic_transport.c @@ -283,6 +283,12 @@ ngx_quic_parse_long_header(ngx_quic_header_t *pkt) return NGX_ERROR; } + if (idlen > NGX_QUIC_CID_LEN_MAX) { + ngx_log_error(NGX_LOG_INFO, pkt->log, 0, + "quic packet dcid is too long"); + return NGX_ERROR; + } + pkt->dcid.len = idlen; p = ngx_quic_read_bytes(p, end, idlen, &pkt->dcid.data); @@ -299,6 +305,12 @@ ngx_quic_parse_long_header(ngx_quic_header_t *pkt) return NGX_ERROR; } + if (idlen > NGX_QUIC_CID_LEN_MAX) { + ngx_log_error(NGX_LOG_INFO, pkt->log, 0, + "quic packet scid is too long"); + return NGX_ERROR; + } + pkt->scid.len = idlen; p = ngx_quic_read_bytes(p, end, idlen, &pkt->scid.data); diff --git a/src/event/ngx_event_quic_transport.h b/src/event/ngx_event_quic_transport.h index c3b2bbf01..35db6ccf3 100644 --- a/src/event/ngx_event_quic_transport.h +++ b/src/event/ngx_event_quic_transport.h @@ -112,6 +112,9 @@ #define NGX_QUIC_TP_PREFERRED_ADDRESS 0x0D #define NGX_QUIC_TP_ACTIVE_CONNECTION_ID_LIMIT 0x0E +#define NGX_QUIC_CID_LEN_MIN 8 +#define NGX_QUIC_CID_LEN_MAX 20 + typedef struct { uint64_t largest; @@ -130,7 +133,7 @@ typedef struct { uint64_t seqnum; uint64_t retire; uint8_t len; - u_char cid[20]; + u_char cid[NGX_QUIC_CID_LEN_MAX]; u_char srt[16]; } ngx_quic_new_conn_id_frame_t; |