From 44ae75220a8ac248cb734c39a780472f0ba11057 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Fr=C3=A9d=C3=A9ric=20L=C3=A9caille?= Date: Mon, 21 Mar 2022 12:18:00 +0100 Subject: [PATCH] BUG/MINOR: quic: Incorrect peer address validation We must consider the peer address as validated as soon as we received an handshake packet. An ACK frame in handshake packet was too restrictive. Rename the concerned flag to reflect this situation. --- include/haproxy/xprt_quic-t.h | 6 +++--- src/xprt_quic.c | 10 +++++----- 2 files changed, 8 insertions(+), 8 deletions(-) diff --git a/include/haproxy/xprt_quic-t.h b/include/haproxy/xprt_quic-t.h index fd6486c26..8be3fe609 100644 --- a/include/haproxy/xprt_quic-t.h +++ b/include/haproxy/xprt_quic-t.h @@ -387,9 +387,9 @@ struct quic_arngs { size_t enc_sz; }; -/* Flag the packet number space as having received an ACK frame */ -#define QUIC_FL_PKTNS_ACK_RECEIVED_BIT 0 -#define QUIC_FL_PKTNS_ACK_RECEIVED (1UL << QUIC_FL_PKTNS_ACK_RECEIVED_BIT) +/* Flag the packet number space as having received a packet */ +#define QUIC_FL_PKTNS_PKT_RECEIVED_BIT 0 +#define QUIC_FL_PKTNS_PKT_RECEIVED (1UL << QUIC_FL_PKTNS_PKT_RECEIVED_BIT) /* Flag the packet number space as requiring an ACK frame to be sent. */ #define QUIC_FL_PKTNS_ACK_REQUIRED_BIT 1 diff --git a/src/xprt_quic.c b/src/xprt_quic.c index b9723d937..a386d8106 100644 --- a/src/xprt_quic.c +++ b/src/xprt_quic.c @@ -597,8 +597,8 @@ static inline int quic_peer_validated_addr(struct quic_conn *qc) hdshk_pktns = qc->els[QUIC_TLS_ENC_LEVEL_HANDSHAKE].pktns; app_pktns = qc->els[QUIC_TLS_ENC_LEVEL_APP].pktns; - if ((HA_ATOMIC_LOAD(&hdshk_pktns->flags) & QUIC_FL_PKTNS_ACK_RECEIVED) || - (HA_ATOMIC_LOAD(&app_pktns->flags) & QUIC_FL_PKTNS_ACK_RECEIVED) || + if ((HA_ATOMIC_LOAD(&hdshk_pktns->flags) & QUIC_FL_PKTNS_PKT_RECEIVED) || + (HA_ATOMIC_LOAD(&app_pktns->flags) & QUIC_FL_PKTNS_PKT_RECEIVED) || HA_ATOMIC_LOAD(&qc->state) >= QUIC_HS_ST_COMPLETE) return 1; @@ -1869,9 +1869,6 @@ static inline int qc_parse_ack_frm(struct quic_conn *qc, qc, NULL, &largest, &smallest); } while (1); - /* Flag this packet number space as having received an ACK. */ - HA_ATOMIC_OR(&qel->pktns->flags, QUIC_FL_PKTNS_ACK_RECEIVED); - if (time_sent && (pkt_flags & QUIC_FL_TX_PACKET_ACK_ELICITING)) { *rtt_sample = tick_remain(time_sent, now_ms); HA_ATOMIC_STORE(&qel->pktns->rx.largest_acked_pn, ack->largest_ack); @@ -2469,6 +2466,9 @@ static int qc_parse_pkt_frms(struct quic_rx_packet *pkt, struct ssl_sock_ctx *ct } } + /* Flag this packet number space as having received a packet. */ + HA_ATOMIC_OR(&qel->pktns->flags, QUIC_FL_PKTNS_PKT_RECEIVED); + if (fast_retrans) qc_prep_hdshk_fast_retrans(qc);