From 786a74e34ec89d0e78b95f2524dff68bf6235923 Mon Sep 17 00:00:00 2001 From: Sergey Kandaurov Date: Tue, 8 Sep 2020 13:35:50 +0300 Subject: [PATCH] QUIC: removed check for packet size beyond MAX_UDP_PAYLOAD_SIZE. The check tested the total size of a packet header and unprotected packet payload, which doesn't include the packet number length and expansion of the packet protection AEAD. If the packet was corrupted, it could cause false triggering of the condition due to unsigned type underflow leading to a connection error. Existing checks for the QUIC header and protected packet payload lengths should be enough. --- src/event/ngx_event_quic_protection.c | 5 ----- 1 file changed, 5 deletions(-) diff --git a/src/event/ngx_event_quic_protection.c b/src/event/ngx_event_quic_protection.c index 7a4ebdaa7..0d205a160 100644 --- a/src/event/ngx_event_quic_protection.c +++ b/src/event/ngx_event_quic_protection.c @@ -1089,11 +1089,6 @@ ngx_quic_decrypt(ngx_quic_header_t *pkt, ngx_ssl_conn_t *ssl_conn, #endif pkt->payload.len = in.len - EVP_GCM_TLS_TAG_LEN; - - if (NGX_QUIC_MAX_UDP_PAYLOAD_SIZE - ad.len < pkt->payload.len) { - return NGX_ERROR; - } - pkt->payload.data = pkt->plaintext + ad.len; rc = ngx_quic_tls_open(ciphers.c, secret, &pkt->payload,