Summary
A remote can trick us into attempting to send a MAX_DATA with a value larger than the maximum varint, thus leading to a panic.
Reported in https://bugzilla.mozilla.org/show_bug.cgi?id=1965279.
Details
For connection flow control, Neqo simply sets a huge limit, i.e. the QUIC varint max value.
|
const LOCAL_MAX_DATA: u64 = 0x3FFF_FFFF_FFFF_FFFF; // 2^62-1 |
A remote can trick us into attempting to encode a value larger than the QUIC varint max value by consuming 1 or more bytes on the connection and then sending a DATA_BLOCKED frame.
Neqo will attempt to send a MAX_DATA connection flow control update with a value larger than the QUIC varint max value.
Impact
Remote QUIC server can trigger a panic in Neqo, thus crash the socket thread which thus crashes the main process.
Summary
A remote can trick us into attempting to send a
MAX_DATAwith a value larger than the maximum varint, thus leading to a panic.Reported in https://bugzilla.mozilla.org/show_bug.cgi?id=1965279.
Details
For connection flow control, Neqo simply sets a huge limit, i.e. the QUIC varint max value.
neqo/neqo-transport/src/connection/params.rs
Line 30 in 8add3f8
A remote can trick us into attempting to encode a value larger than the QUIC varint max value by consuming 1 or more bytes on the connection and then sending a
DATA_BLOCKEDframe.Neqo will attempt to send a
MAX_DATAconnection flow control update with a value larger than the QUIC varint max value.Impact
Remote QUIC server can trigger a panic in Neqo, thus crash the socket thread which thus crashes the main process.