[openssl/openssl] f1c8d6: quic: fix handling of the first rxe mfail in qrx_p...
0 views
Skip to first unread message
Jakub Zelenka
May 29, 2026, 10:10:41 AM (yesterday) May 29
to openssl...@openssl.org
Branch: refs/heads/openssl-3.6
Home: https://github.com/openssl/openssl
Commit: f1c8d628284bc3011714141d9abb89f7ce55efc0
https://github.com/openssl/openssl/commit/f1c8d628284bc3011714141d9abb89f7ce55efc0
Author: Jakub Zelenka <jakub....@openssl.foundation>
Date: 2026-05-29 (Fri, 29 May 2026)
Changed paths:
M ssl/quic/quic_record_rx.c
Log Message:
-----------
quic: fix handling of the first rxe mfail in qrx_process_pkt
When qrx_ensure_free_rxe() fails at the start of qrx_process_pkt() the
function returned 0 without advancing the PACKET cursor and, for the
first packet in the datagram, without setting first_dcid. The
qrx_process_datagram() loop then re-entered qrx_process_pkt() for the
same bytes with pkt_idx >= 1 and the sentinel first_dcid (id_len = 255),
tripping the assertion in qrx_validate_hdr_early() that asserts
first_dcid->id_len to be lower than QUIC_MAX_CONN_ID_LEN.
The fix goes to malformed label instead. The header has not been decoded
at this point so eop is NULL, which makes the malformed path discard the
rest of the datagram. This is because without an RXE we can process
neither this packet nor any that follow it. This also advances the
cursor and, when the failure is on the first packet, avoids leaving
first_dcid unset for the next iteration. It is consistent with the
other allocation-failure site in the function, which already routes
through malformed.
Reviewed-by: Matt Caswell <ma...@openssl.foundation>
Reviewed-by: Saša Nedvědický <sas...@openssl.org>
MergeDate: Fri May 29 14:08:56 2026
(Merged from https://github.com/openssl/openssl/pull/31316)
(cherry picked from commit 31d61a1ceb1556d729410d4ae59503f49e58cf22)
To unsubscribe from these emails, change your notification settings at https://github.com/openssl/openssl/settings/notifications
Home: https://github.com/openssl/openssl
Commit: f1c8d628284bc3011714141d9abb89f7ce55efc0
https://github.com/openssl/openssl/commit/f1c8d628284bc3011714141d9abb89f7ce55efc0
Author: Jakub Zelenka <jakub....@openssl.foundation>
Date: 2026-05-29 (Fri, 29 May 2026)
Changed paths:
M ssl/quic/quic_record_rx.c
Log Message:
-----------
quic: fix handling of the first rxe mfail in qrx_process_pkt
When qrx_ensure_free_rxe() fails at the start of qrx_process_pkt() the
function returned 0 without advancing the PACKET cursor and, for the
first packet in the datagram, without setting first_dcid. The
qrx_process_datagram() loop then re-entered qrx_process_pkt() for the
same bytes with pkt_idx >= 1 and the sentinel first_dcid (id_len = 255),
tripping the assertion in qrx_validate_hdr_early() that asserts
first_dcid->id_len to be lower than QUIC_MAX_CONN_ID_LEN.
The fix goes to malformed label instead. The header has not been decoded
at this point so eop is NULL, which makes the malformed path discard the
rest of the datagram. This is because without an RXE we can process
neither this packet nor any that follow it. This also advances the
cursor and, when the failure is on the first packet, avoids leaving
first_dcid unset for the next iteration. It is consistent with the
other allocation-failure site in the function, which already routes
through malformed.
Reviewed-by: Matt Caswell <ma...@openssl.foundation>
Reviewed-by: Saša Nedvědický <sas...@openssl.org>
MergeDate: Fri May 29 14:08:56 2026
(Merged from https://github.com/openssl/openssl/pull/31316)
(cherry picked from commit 31d61a1ceb1556d729410d4ae59503f49e58cf22)
To unsubscribe from these emails, change your notification settings at https://github.com/openssl/openssl/settings/notifications
Reply all
Reply to author
Forward
0 new messages