QUIC: fixed parsing of unknown frame types.

The ngx_quic_frame_allowed() function only expects known frame types.

2 files changed, 9 insertions, 0 deletions

diff --git a/src/event/quic/ngx_event_quic_transport.c b/src/event/quic/ngx_event_quic_transport.c
index 2c952177c..ad4758c60 100644
--- a/src/event/quic/ngx_event_quic_transport.c
+++ b/src/event/quic/ngx_event_quic_transport.c
@@ -742,6 +742,13 @@ ngx_quic_parse_frame(ngx_quic_header_t *pkt, u_char *start, u_char *end,
         return NGX_ERROR;
     }
 
+    if (varint > NGX_QUIC_FT_LAST) {
+        pkt->error = NGX_QUIC_ERR_FRAME_ENCODING_ERROR;
+        ngx_log_error(NGX_LOG_INFO, pkt->log, 0,
+                      "quic unknown frame type 0x%xL", varint);
+        return NGX_ERROR;
+    }
+
     f->type = varint;
 
     if (ngx_quic_frame_allowed(pkt, f->type) != NGX_OK) {
diff --git a/src/event/quic/ngx_event_quic_transport.h b/src/event/quic/ngx_event_quic_transport.h
index 2cda8088f..9fb621721 100644
--- a/src/event/quic/ngx_event_quic_transport.h
+++ b/src/event/quic/ngx_event_quic_transport.h
@@ -83,6 +83,8 @@
 #define NGX_QUIC_FT_CONNECTION_CLOSE_APP                 0x1D
 #define NGX_QUIC_FT_HANDSHAKE_DONE                       0x1E
 
+#define NGX_QUIC_FT_LAST  NGX_QUIC_FT_HANDSHAKE_DONE
+
 /* 22.4.  QUIC Transport Error Codes Registry */
 /* Keep in sync with ngx_quic_errors[] */
 #define NGX_QUIC_ERR_NO_ERROR                            0x00