[nginx] QUIC: avoid assigning unvalidated address to new streams.
Maxim Dounin
mdounin at mdounin.ru
Tue May 19 02:46:31 UTC 2026
details: http://freenginx.org/hg/nginx/rev/0ffc9191ae38
branches:
changeset: 9524:0ffc9191ae38
user: Roman Arutyunyan <arut at nginx.com>
date: Thu Apr 30 17:15:53 2026 +0400
description:
QUIC: avoid assigning unvalidated address to new streams.
Previously, when a client migrated to a new address, new QUIC streams
received this address before validation. This allowed an attacker to
create QUIC streams with a spoofed address.
Reported by Rodrigo Laneth.
Obtained from:
https://github.com/nginx/nginx/commit/f37ec3e5d4f527e52ed5b25951ad8aa7d1ff6266
diffstat:
src/event/quic/ngx_event_quic_migration.c | 9 +++++----
1 files changed, 5 insertions(+), 4 deletions(-)
diffs (34 lines):
diff --git a/src/event/quic/ngx_event_quic_migration.c b/src/event/quic/ngx_event_quic_migration.c
--- a/src/event/quic/ngx_event_quic_migration.c
+++ b/src/event/quic/ngx_event_quic_migration.c
@@ -193,6 +193,8 @@ valid:
path->validated = 1;
+ ngx_quic_set_connection_path(c, path);
+
if (path->mtu_unvalidated) {
path->mtu_unvalidated = 0;
return ngx_quic_validate_path(c, path);
@@ -510,9 +512,10 @@ ngx_quic_handle_migration(ngx_connection
qc->path = next;
qc->path->tag = NGX_QUIC_PATH_ACTIVE;
- ngx_quic_set_connection_path(c, next);
+ if (next->validated) {
+ ngx_quic_set_connection_path(c, next);
- if (!next->validated && next->state != NGX_QUIC_PATH_VALIDATING) {
+ } else if (next->state != NGX_QUIC_PATH_VALIDATING) {
if (ngx_quic_validate_path(c, next) != NGX_OK) {
return NGX_ERROR;
}
@@ -806,8 +809,6 @@ ngx_quic_expire_path_validation(ngx_conn
qc->path = bkp;
qc->path->tag = NGX_QUIC_PATH_ACTIVE;
- ngx_quic_set_connection_path(c, qc->path);
-
ngx_log_error(NGX_LOG_INFO, c->log, 0,
"quic path seq:%uL addr:%V is restored from backup",
qc->path->seqnum, &qc->path->addr_text);
More information about the nginx-devel
mailing list