]> git.ipfire.org Git - thirdparty/haproxy.git/commitdiff
projects / thirdparty / haproxy.git / commitdiff
? search:
summary | shortlog | log | commit | commitdiff | tree
raw | patch | inline | side by side (parent: 299a441)
BUG/MINOR: quic-be: Wrong retry_source_connection_id check
authorFrederic Lecaille <flecaille@haproxy.com>
Fri, 27 Jun 2025 05:53:28 +0000 (07:53 +0200)
committerFrederic Lecaille <flecaille@haproxy.com>
Fri, 27 Jun 2025 05:59:12 +0000 (07:59 +0200)
This commit broke the QUIC backend connection to servers without address validation
or retry activated:

  MINOR: quic-be: address validation support implementation (RETRY)

Indeed the retry_source_connection_id transport parameter was already checked as
as if it was required, as if the peer (server) was always using the address validation.
Furthermore, relying on ->odcid.len to ensure a retry token was received is not
correct.

This patch ensures the retry_source_connection_id transport parameter is checked
only when a retry token was received (->retry_token != NULL). In this case
it also checks that this transport parameter is present when a retry token
has been received (tx_params->retry_source_connection_id.len != 0).

No need to backport.

src/quic_tp.c patch | blob | blame | history

diff --git a/src/quic_tp.c b/src/quic_tp.c
index fb47aa7909d07e2778e2d4096d960f79435726d3..bc33664d495510c35749f67ceb5fcccf49b40cd0 100644 (file)
--- a/src/quic_tp.c
+++ b/src/quic_tp.c
@@ -759,10 +759,14 @@ int quic_transport_params_store(struct quic_conn *qc, int server,
                return 0;
        }
 
-       if (server && (qc->odcid.len != tx_params->retry_source_connection_id.len ||
-                      memcmp(qc->odcid.data, tx_params->retry_source_connection_id.data, qc->odcid.len) != 0)) {
-               TRACE_ERROR("retry_source_connection_id mismatch", QUIC_EV_TRANSP_PARAMS, qc);
-               return 0;
+       if (server && qc->retry_token) {
+               if (!tx_params->retry_source_connection_id.len ||
+                   (qc->odcid.len != tx_params->retry_source_connection_id.len ||
+                    memcmp(qc->odcid.data, tx_params->retry_source_connection_id.data, qc->odcid.len) != 0)) {
+                       quic_set_connection_close(qc, quic_err_transport(QC_ERR_TRANSPORT_PARAMETER_ERROR));
+                       TRACE_ERROR("retry_source_connection_id absence or mismatch", QUIC_EV_TRANSP_PARAMS, qc);
+                       return 1;
+               }
        }
 
        /* Update the connection from transport parameters received */
Mirror of https://github.com/haproxy/haproxy.git