upstream/nginx
1
0
Fork 0
mirror of https://github.com/nginx/nginx.git synced 2026-05-28 04:12:47 -04:00
Code Issues Projects Releases Packages Wiki Activity Actions 1

QUIC: avoid assigning unvalidated address to new streams

Browse source 
Previously, when a client migrated to a new address, new QUIC streams
received this address before validation.  This allowed an attacker to
create QUIC streams with a spoofed address.

Reported by Rodrigo Laneth.
This commit is contained in:
Roman Arutyunyan 2026-04-30 17:15:53 +04:00 committed by Sergey Kandaurov
parent d2b8d47741
commit 5461e8bbc0
1 changed files with 5 additions and 4 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

9
src/event/quic/ngx_event_quic_migration.c
View file

@ -194,6 +194,8 @@ valid:
path->validated = 1;
ngx_quic_set_connection_path(c, path);
if (path->mtu_unvalidated) {
path->mtu_unvalidated = 0;
return ngx_quic_validate_path(c, path);
@ -511,9 +513,10 @@ ngx_quic_handle_migration(ngx_connection_t *c, ngx_quic_header_t *pkt)
qc->path = next;
qc->path->tag = NGX_QUIC_PATH_ACTIVE;
ngx_quic_set_connection_path(c, next);
if (next->validated) {
ngx_quic_set_connection_path(c, next);
if (!next->validated && next->state != NGX_QUIC_PATH_VALIDATING) {
} else if (next->state != NGX_QUIC_PATH_VALIDATING) {
if (ngx_quic_validate_path(c, next) != NGX_OK) {
return NGX_ERROR;
}
@ -807,8 +810,6 @@ ngx_quic_expire_path_validation(ngx_connection_t *c, ngx_quic_path_t *path)
qc->path = bkp;
qc->path->tag = NGX_QUIC_PATH_ACTIVE;
ngx_quic_set_connection_path(c, qc->path);
ngx_log_error(NGX_LOG_INFO, c->log, 0,
"quic path seq:%uL addr:%V is restored from backup",
qc->path->seqnum, &qc->path->addr_text);