QUIC: check that the packet length is of at least sample size.

From quic-tls draft, section 5.4.2: An endpoint MUST discard packets that are not long enough to contain a complete sample. The check includes the Packet Number field assumed to be 4 bytes long.
author: Sergey Kandaurov <pluknet@nginx.com> 2020-09-08 13:28:56 +0300
committer: Sergey Kandaurov <pluknet@nginx.com> 2020-09-08 13:28:56 +0300
commit: d8360f912ac2eeb0103c2781d450b7735d7894ba (patch)
tree: 0aa4166bc2c01dac09d3f9907facd70d6232e4b7 /src
parent: 952c6f19898b770906aefeb52dd0eb8a578dd808 (diff)
download: nginx-d8360f912ac2eeb0103c2781d450b7735d7894ba.tar.gz
nginx-d8360f912ac2eeb0103c2781d450b7735d7894ba.zip
1 files changed, 4 insertions, 0 deletions
diff --git a/src/event/ngx_event_quic_protection.c b/src/event/ngx_event_quic_protection.c
index 261f02d7f..7a4ebdaa7 100644
--- a/src/event/ngx_event_quic_protection.c
+++ b/src/event/ngx_event_quic_protection.c
@@ -1019,6 +1019,10 @@ ngx_quic_decrypt(ngx_quic_header_t *pkt, ngx_ssl_conn_t *ssl_conn,
      * AES-Based and ChaCha20-Based header protections sample 16 bytes
      */
 
+    if (pkt->len < EVP_GCM_TLS_TAG_LEN + 4) {
+        return NGX_DECLINED;
+    }
+
     sample = p + 4;
 
     /* header protection */
author	Sergey Kandaurov <pluknet@nginx.com>	2020-09-08 13:28:56 +0300
committer	Sergey Kandaurov <pluknet@nginx.com>	2020-09-08 13:28:56 +0300
commit	d8360f912ac2eeb0103c2781d450b7735d7894ba (patch)
tree	0aa4166bc2c01dac09d3f9907facd70d6232e4b7 /src
parent	952c6f19898b770906aefeb52dd0eb8a578dd808 (diff)
download	nginx-d8360f912ac2eeb0103c2781d450b7735d7894ba.tar.gz nginx-d8360f912ac2eeb0103c2781d450b7735d7894ba.zip