diff options
| author | Roman Arutyunyan <arut@nginx.com> | 2024-05-28 17:19:08 +0400 |
|---|---|---|
| committer | Roman Arutyunyan <arut@nginx.com> | 2024-05-28 17:19:08 +0400 |
| commit | 6f8c520f497edfe26f46ef6da6699174df5b3da4 (patch) | |
| tree | 59be73c67fe4f101a5fe48f7ccadbe0bdf9dbf8d /src | |
| parent | cca5655dd9ba349817946a0db14f8b1f633f700a (diff) | |
| download | nginx-6f8c520f497edfe26f46ef6da6699174df5b3da4.tar.gz nginx-6f8c520f497edfe26f46ef6da6699174df5b3da4.zip | |
QUIC: ignore CRYPTO frames after handshake completion.
Sending handshake-level CRYPTO frames after the client's Finished message could
lead to memory disclosure and a potential segfault, if those frames are sent in
one packet with the Finished frame.
Diffstat (limited to 'src')
| -rw-r--r-- | src/event/quic/ngx_event_quic_ssl.c | 5 |
1 files changed, 5 insertions, 0 deletions
diff --git a/src/event/quic/ngx_event_quic_ssl.c b/src/event/quic/ngx_event_quic_ssl.c index 7872783f8..ba0b5929f 100644 --- a/src/event/quic/ngx_event_quic_ssl.c +++ b/src/event/quic/ngx_event_quic_ssl.c @@ -326,6 +326,11 @@ ngx_quic_handle_crypto_frame(ngx_connection_t *c, ngx_quic_header_t *pkt, ngx_quic_crypto_frame_t *f; qc = ngx_quic_get_connection(c); + + if (!ngx_quic_keys_available(qc->keys, pkt->level, 0)) { + return NGX_OK; + } + ctx = ngx_quic_get_send_ctx(qc, pkt->level); f = &frame->u.crypto; |