BUG/MAJOR: quic: Possible crash when processing 1-RTT during 0-RTT session

This bug was revealed by some C1 interop tests (heavy hanshake packet
corruption) when receiving 1-RTT packets with a key phase update.
This lead the packet to be decrypted with the next key phase secrets.
But this latter is initialized only after the handshake is complete.

In fact, 1-RTT must never be processed before the handshake is complete.
Relying on the "qc->mux_state == QC_MUX_NULL" condition to check the
handshake is complete is wrong during 0-RTT sessions when the mux
is initialized before the handshake is complete.

Must be backported to 2.7 and 2.6.

diff --git a/src/quic_conn.c b/src/quic_conn.c
index 907ee9873eb5c66e7693bc3cbd02dd063459eb20..79c20137c74b049cec6c9d7d42660d9a5edb8b88 100644 (file)
--- a/src/quic_conn.c
+++ b/src/quic_conn.c
@@ -4035,6 +4035,11 @@ static int qc_qel_may_rm_hp(struct quic_conn *qc, struct quic_enc_level *qel)
                goto cant_rm_hp;
        }
 
+       if (tel == QUIC_TLS_ENC_LEVEL_APP && qc->state < QUIC_HS_ST_COMPLETE) {
+               TRACE_DEVEL("handshake not complete", QUIC_EV_CONN_TRMHP, qc);
+               goto cant_rm_hp;
+       }
+
        /* check if the connection layer is ready before using app level */
        if ((tel == QUIC_TLS_ENC_LEVEL_APP || tel == QUIC_TLS_ENC_LEVEL_EARLY_DATA) &&
            qc->mux_state == QC_MUX_NULL) {