From f37ec3e5d4f527e52ed5b25951ad8aa7d1ff6266 Mon Sep 17 00:00:00 2001 From: Roman Arutyunyan Date: Thu, 30 Apr 2026 17:15:53 +0400 Subject: [PATCH] QUIC: avoid assigning unvalidated address to new streams Previously, when a client migrated to a new address, new QUIC streams received this address before validation. This allowed an attacker to create QUIC streams with a spoofed address. Reported by Rodrigo Laneth. --- src/event/quic/ngx_event_quic_migration.c | 9 +++++---- 1 file changed, 5 insertions(+), 4 deletions(-) diff --git a/src/event/quic/ngx_event_quic_migration.c b/src/event/quic/ngx_event_quic_migration.c index 42354ca66..bbb105142 100644 --- a/src/event/quic/ngx_event_quic_migration.c +++ b/src/event/quic/ngx_event_quic_migration.c @@ -194,6 +194,8 @@ valid: path->validated = 1; + ngx_quic_set_connection_path(c, path); + if (path->mtu_unvalidated) { path->mtu_unvalidated = 0; return ngx_quic_validate_path(c, path); @@ -511,9 +513,10 @@ ngx_quic_handle_migration(ngx_connection_t *c, ngx_quic_header_t *pkt) qc->path = next; qc->path->tag = NGX_QUIC_PATH_ACTIVE; - ngx_quic_set_connection_path(c, next); + if (next->validated) { + ngx_quic_set_connection_path(c, next); - if (!next->validated && next->state != NGX_QUIC_PATH_VALIDATING) { + } else if (next->state != NGX_QUIC_PATH_VALIDATING) { if (ngx_quic_validate_path(c, next) != NGX_OK) { return NGX_ERROR; } @@ -807,8 +810,6 @@ ngx_quic_expire_path_validation(ngx_connection_t *c, ngx_quic_path_t *path) qc->path = bkp; qc->path->tag = NGX_QUIC_PATH_ACTIVE; - ngx_quic_set_connection_path(c, qc->path); - ngx_log_error(NGX_LOG_INFO, c->log, 0, "quic path seq:%uL addr:%V is restored from backup", qc->path->seqnum, &qc->path->addr_text);