[nginx] QUIC: ignore CRYPTO frames after handshake completion.

Sergey Kandaurov Wed, 29 May 2024 08:02:03 -0700

details:   https://hg.nginx.org/nginx/rev/e4e9d7003b31
branches:  stable-1.26
changeset: 9264:e4e9d7003b31
user:      Roman Arutyunyan <a...@nginx.com>
date:      Tue May 28 17:19:08 2024 +0400
description:
QUIC: ignore CRYPTO frames after handshake completion.


Sending handshake-level CRYPTO frames after the client's Finished message could
lead to memory disclosure and a potential segfault, if those frames are sent in
one packet with the Finished frame.

diffstat:

 src/event/quic/ngx_event_quic_ssl.c |  5 +++++
 1 files changed, 5 insertions(+), 0 deletions(-)

diffs (15 lines):

diff -r ed593e26c79a -r e4e9d7003b31 src/event/quic/ngx_event_quic_ssl.c
--- a/src/event/quic/ngx_event_quic_ssl.c       Tue May 28 17:18:50 2024 +0400
+++ b/src/event/quic/ngx_event_quic_ssl.c       Tue May 28 17:19:08 2024 +0400
@@ -326,6 +326,11 @@ ngx_quic_handle_crypto_frame(ngx_connect
     ngx_quic_crypto_frame_t  *f;
 
     qc = ngx_quic_get_connection(c);
+
+    if (!ngx_quic_keys_available(qc->keys, pkt->level, 0)) {
+        return NGX_OK;
+    }
+
     ctx = ngx_quic_get_send_ctx(qc, pkt->level);
     f = &frame->u.crypto;
 
_______________________________________________
nginx-devel mailing list
nginx-devel@nginx.org
https://mailman.nginx.org/mailman/listinfo/nginx-devel

[nginx] QUIC: ignore CRYPTO frames after handshake completion.

Reply via email to