[PATCH 08 of 10] QUIC: avoid assigning unvalidated address to new streams
Maxim Dounin
mdounin at mdounin.ru
Sun May 17 00:12:41 UTC 2026
# HG changeset patch
# User Roman Arutyunyan <arut at nginx.com>
# Date 1777554953 -14400
# Thu Apr 30 17:15:53 2026 +0400
# Node ID 4f8c88f32b9723c688fd76c121f8f39361967097
# Parent 76599662afacdc5732fe33583cc7ed02716701a5
QUIC: avoid assigning unvalidated address to new streams.
Previously, when a client migrated to a new address, new QUIC streams
received this address before validation. This allowed an attacker to
create QUIC streams with a spoofed address.
Reported by Rodrigo Laneth.
Obtained from:
https://github.com/nginx/nginx/commit/f37ec3e5d4f527e52ed5b25951ad8aa7d1ff6266
diff --git a/src/event/quic/ngx_event_quic_migration.c b/src/event/quic/ngx_event_quic_migration.c
--- a/src/event/quic/ngx_event_quic_migration.c
+++ b/src/event/quic/ngx_event_quic_migration.c
@@ -193,6 +193,8 @@ valid:
path->validated = 1;
+ ngx_quic_set_connection_path(c, path);
+
if (path->mtu_unvalidated) {
path->mtu_unvalidated = 0;
return ngx_quic_validate_path(c, path);
@@ -510,9 +512,10 @@ ngx_quic_handle_migration(ngx_connection
qc->path = next;
qc->path->tag = NGX_QUIC_PATH_ACTIVE;
- ngx_quic_set_connection_path(c, next);
+ if (next->validated) {
+ ngx_quic_set_connection_path(c, next);
- if (!next->validated && next->state != NGX_QUIC_PATH_VALIDATING) {
+ } else if (next->state != NGX_QUIC_PATH_VALIDATING) {
if (ngx_quic_validate_path(c, next) != NGX_OK) {
return NGX_ERROR;
}
@@ -806,8 +809,6 @@ ngx_quic_expire_path_validation(ngx_conn
qc->path = bkp;
qc->path->tag = NGX_QUIC_PATH_ACTIVE;
- ngx_quic_set_connection_path(c, qc->path);
-
ngx_log_error(NGX_LOG_INFO, c->log, 0,
"quic path seq:%uL addr:%V is restored from backup",
qc->path->seqnum, &qc->path->addr_text);
More information about the nginx-devel
mailing list