3 files changed, 24 insertions, 1 deletions

diff --git a/src/event/ngx_event_quic.c b/src/event/ngx_event_quic.c
index 26e307bbe..2ebb72f24 100644
--- a/src/event/ngx_event_quic.c
+++ b/src/event/ngx_event_quic.c
@@ -579,6 +579,14 @@ ngx_quic_new_connection(ngx_connection_t *c, ngx_ssl_t *ssl, ngx_quic_tp_t *tp,
         return NGX_ERROR;
     }
 
+    if (pkt->dcid.len < NGX_QUIC_CID_LEN_MIN) {
+        /* 7.2.  Negotiating Connection IDs */
+        ngx_log_error(NGX_LOG_INFO, c->log, 0,
+                      "quic too short dcid in initial packet: length %i",
+                      pkt->dcid.len);
+        return NGX_ERROR;
+    }
+
     c->log->action = "creating new quic connection";
 
     qc = ngx_pcalloc(c->pool, sizeof(ngx_quic_connection_t));
diff --git a/src/event/ngx_event_quic_transport.c b/src/event/ngx_event_quic_transport.c
index 1732f8b0f..5d0182032 100644
--- a/src/event/ngx_event_quic_transport.c
+++ b/src/event/ngx_event_quic_transport.c
@@ -283,6 +283,12 @@ ngx_quic_parse_long_header(ngx_quic_header_t *pkt)
         return NGX_ERROR;
     }
 
+    if (idlen > NGX_QUIC_CID_LEN_MAX) {
+        ngx_log_error(NGX_LOG_INFO, pkt->log, 0,
+                      "quic packet dcid is too long");
+        return NGX_ERROR;
+    }
+
     pkt->dcid.len = idlen;
 
     p = ngx_quic_read_bytes(p, end, idlen, &pkt->dcid.data);
@@ -299,6 +305,12 @@ ngx_quic_parse_long_header(ngx_quic_header_t *pkt)
         return NGX_ERROR;
     }
 
+    if (idlen > NGX_QUIC_CID_LEN_MAX) {
+        ngx_log_error(NGX_LOG_INFO, pkt->log, 0,
+                      "quic packet scid is too long");
+        return NGX_ERROR;
+    }
+
     pkt->scid.len = idlen;
 
     p = ngx_quic_read_bytes(p, end, idlen, &pkt->scid.data);
diff --git a/src/event/ngx_event_quic_transport.h b/src/event/ngx_event_quic_transport.h
index c3b2bbf01..35db6ccf3 100644
--- a/src/event/ngx_event_quic_transport.h
+++ b/src/event/ngx_event_quic_transport.h
@@ -112,6 +112,9 @@
 #define NGX_QUIC_TP_PREFERRED_ADDRESS                    0x0D
 #define NGX_QUIC_TP_ACTIVE_CONNECTION_ID_LIMIT           0x0E
 
+#define NGX_QUIC_CID_LEN_MIN                                8
+#define NGX_QUIC_CID_LEN_MAX                               20
+
 
 typedef struct {
     uint64_t                                    largest;
@@ -130,7 +133,7 @@ typedef struct {
     uint64_t                                    seqnum;
     uint64_t                                    retire;
     uint8_t                                     len;
-    u_char                                      cid[20];
+    u_char                                      cid[NGX_QUIC_CID_LEN_MAX];
     u_char                                      srt[16];
 } ngx_quic_new_conn_id_frame_t;