Skip to content

quic: drop version negotiation packets with oversized CIDs#64228

Open
3zrv wants to merge 1 commit into
nodejs:mainfrom
3zrv:fix-quic-vn-oversized-cid-abort
Open

quic: drop version negotiation packets with oversized CIDs#64228
3zrv wants to merge 1 commit into
nodejs:mainfrom
3zrv:fix-quic-vn-oversized-cid-abort

Conversation

@3zrv

@3zrv 3zrv commented Jul 1, 2026

Copy link
Copy Markdown
Contributor

A single unauthenticated UDP datagram can crash a QUIC endpoint before any handshake.

When a long-header packet carries an unsupported QUIC version, ngtcp2_pkt_decode_version_cid() returns the connection ID lengths verbatim from the single-byte length fields on the wire, it only clamps to NGTCP2_MAX_CIDLEN (20) for supported versions, so these lengths can be up to 255.

In the NGTCP2_ERR_VERSION_NEGOTIATION branch, Endpoint::Receive() built CID objects directly from those lengths before the existing CID-length check (which sits after the switch, on the supported-version path only).

A CID is backed by a fixed 20-byte ngtcp2_cid buffer, so a DCID/SCID length > 20 overruns it. Because Node does not define NDEBUG, the assert(datalen <= NGTCP2_MAX_CIDLEN) inside ngtcp2_cid_init() is compiled in and the process aborts.

Fix

Extend the CID-length policy already applied to supported-version packets to the version-negotiation branch: drop packets whose decoded connection IDs exceed NGTCP2_MAX_CIDLEN. Node's QUIC only supports v1 (CIDs ≤ 20 bytes), and the post-switch path already drops oversized-CID packets, so this is consistent with existing behavior.

Test

Adds test/parallel/test-quic-version-negotiation-oversized-cid.mjs: it sends a crafted oversized-DCID datagram via node:dgram and asserts the endpoint drops it without crashing, while a well-formed unsupported-version datagram still
produces exactly one Version Negotiation response.

Notes

  • Affects only builds configured with --experimental-quic (Stability 1.0).
  • The construct-before-check ordering appears identical in upstream nodejs/node — likely a latent upstream issue, not specific to this branch.

@nodejs-github-bot

Copy link
Copy Markdown
Collaborator

Review requested:

  • @nodejs/quic

@nodejs-github-bot nodejs-github-bot added c++ Issues and PRs that require attention from people who are familiar with C++. needs-ci PRs that need a full CI run. quic Issues and PRs related to the QUIC implementation / HTTP/3. labels Jul 1, 2026
Signed-off-by: Mohamed Sayed <k@3zrv.com>
@3zrv 3zrv force-pushed the fix-quic-vn-oversized-cid-abort branch from 6c8ce01 to d3b996f Compare July 1, 2026 10:12
@nodejs-github-bot

This comment was marked as outdated.

@addaleax addaleax added the author ready PRs that have at least one approval, no pending requests for changes, and a CI started. label Jul 5, 2026
@nodejs-github-bot

nodejs-github-bot commented Jul 5, 2026

Copy link
Copy Markdown
Collaborator

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

author ready PRs that have at least one approval, no pending requests for changes, and a CI started. c++ Issues and PRs that require attention from people who are familiar with C++. needs-ci PRs that need a full CI run. quic Issues and PRs related to the QUIC implementation / HTTP/3.

Projects

None yet

Development

Successfully merging this pull request may close these issues.

5 participants