From d8360f912ac2eeb0103c2781d450b7735d7894ba Mon Sep 17 00:00:00 2001
From: Sergey Kandaurov <pluknet@nginx.com>
Date: Tue, 8 Sep 2020 13:28:56 +0300
Subject: QUIC: check that the packet length is of at least sample size.

From quic-tls draft, section 5.4.2:
   An endpoint MUST discard packets that are not long enough to contain
   a complete sample.

The check includes the Packet Number field assumed to be 4 bytes long.
---
 src/event/ngx_event_quic_protection.c | 4 ++++
 1 file changed, 4 insertions(+)

diff --git a/src/event/ngx_event_quic_protection.c b/src/event/ngx_event_quic_protection.c
index 261f02d7f..7a4ebdaa7 100644
--- a/src/event/ngx_event_quic_protection.c
+++ b/src/event/ngx_event_quic_protection.c
@@ -1019,6 +1019,10 @@ ngx_quic_decrypt(ngx_quic_header_t *pkt, ngx_ssl_conn_t *ssl_conn,
      * AES-Based and ChaCha20-Based header protections sample 16 bytes
      */
 
+    if (pkt->len < EVP_GCM_TLS_TAG_LEN + 4) {
+        return NGX_DECLINED;
+    }
+
     sample = p + 4;
 
     /* header protection */
-- 
cgit