[PATCH 4 of 7] QUIC: ignore CRYPTO frames after handshake completion

Maxim Dounin Thu, 30 May 2024 18:06:12 -0700

# HG changeset patch
# User Roman Arutyunyan <a...@nginx.com>
# Date 1716902348 -14400
#      Tue May 28 17:19:08 2024 +0400
# Node ID 8822af43e7e919b8c903174886c8ffecdb25f017
# Parent  352360116e2c2fef891a91284083fb1d6c36c72d
QUIC: ignore CRYPTO frames after handshake completion.


Sending handshake-level CRYPTO frames after the client's Finished message could
lead to memory disclosure and a potential segfault, if those frames are sent in
one packet with the Finished frame.

diff --git a/src/event/quic/ngx_event_quic_ssl.c 
b/src/event/quic/ngx_event_quic_ssl.c
--- a/src/event/quic/ngx_event_quic_ssl.c
+++ b/src/event/quic/ngx_event_quic_ssl.c
@@ -326,6 +326,11 @@ ngx_quic_handle_crypto_frame(ngx_connect
     ngx_quic_crypto_frame_t  *f;
 
     qc = ngx_quic_get_connection(c);
+
+    if (!ngx_quic_keys_available(qc->keys, pkt->level, 0)) {
+        return NGX_OK;
+    }
+
     ctx = ngx_quic_get_send_ctx(qc, pkt->level);
     f = &frame->u.crypto;

[PATCH 4 of 7] QUIC: ignore CRYPTO frames after handshake completion

Reply via email to