Summary
A remote attacker can trigger a panic in the QUIC server by sending an unauthorized NEW_TOKEN frame as a QUIC client, leading to a denial-of-service vulnerability.
Details
If the QUIC server receives a NEW_TOKEN frame in a 1-RTT packet after the handshake has been completed, it panics instead of handling the protocol violation gracefully. According to the QUIC specification, the server should respond with an appropriate connection close error when receiving illegal frames at this stage.
The panic occurs at neqo-transport/src/addr_valid.rs#L336.
PoC
- Establish a QUIC connection and complete the handshake.
- Send a 1-RTT packet containing a NEW_TOKEN frame, which is not allowed at this stage.
- The server will panic.
Impact
This is a denial-of-service vulnerability. Any client or attacker capable of sending crafted QUIC packets can trigger a panic in Neqo, which crashes the server and results in service unavailability.
NErinola Reporter
larseggert Remediation developer
martinthomson Remediation reviewer
Summary
A remote attacker can trigger a panic in the QUIC server by sending an unauthorized NEW_TOKEN frame as a QUIC client, leading to a denial-of-service vulnerability.
Details
If the QUIC server receives a NEW_TOKEN frame in a 1-RTT packet after the handshake has been completed, it panics instead of handling the protocol violation gracefully. According to the QUIC specification, the server should respond with an appropriate connection close error when receiving illegal frames at this stage.
The panic occurs at neqo-transport/src/addr_valid.rs#L336.
PoC
Impact
This is a denial-of-service vulnerability. Any client or attacker capable of sending crafted QUIC packets can trigger a panic in Neqo, which crashes the server and results in service unavailability.