QUIC: additional limit for probing packets.

RFC 9000, 9.3.  Responding to Connection Migration:
    An endpoint only changes the address to which it sends packets in
    response to the highest-numbered non-probing packet.

The patch extends this requirement to probing packets.  Although it may
seem excessive, it helps with mitigation of reply attacks (when an off-path
attacker has copied packet with PATH_CHALLENGE and uses different
addresses to exhaust available connection ids).

1 files changed, 11 insertions, 0 deletions

diff --git a/src/event/quic/ngx_event_quic_migration.c b/src/event/quic/ngx_event_quic_migration.c
index e66a402c8..d1a5cf7a0 100644
--- a/src/event/quic/ngx_event_quic_migration.c
+++ b/src/event/quic/ngx_event_quic_migration.c
@@ -255,6 +255,7 @@ ngx_quic_set_path(ngx_connection_t *c, ngx_quic_header_t *pkt)
     ngx_queue_t            *q;
     ngx_quic_path_t        *path, *probe;
     ngx_quic_socket_t      *qsock;
+    ngx_quic_send_ctx_t    *ctx;
     ngx_quic_client_id_t   *cid;
     ngx_quic_connection_t  *qc;
 
@@ -291,6 +292,16 @@ ngx_quic_set_path(ngx_connection_t *c, ngx_quic_header_t *pkt)
 
     /* packet from new path, drop current probe, if any */
 
+    ctx = ngx_quic_get_send_ctx(qc, pkt->level);
+
+    /*
+     * only accept highest-numbered packets to prevent connection id
+     * exhaustion by excessive probing packets from unknown paths
+     */
+    if (pkt->pn != ctx->largest_pn) {
+        return NGX_DONE;
+    }
+
     if (probe && ngx_quic_free_path(c, probe) != NGX_OK) {
         return NGX_ERROR;
     }