From 4a5d82a97d9269eb17f9b92af6c8a9cd904705cd Mon Sep 17 00:00:00 2001 From: Amaury Denoyelle Date: Tue, 7 Jan 2025 18:22:00 +0100 Subject: [PATCH] BUG/MINOR: quic: reject NEW_TOKEN frames from clients As specified by RFC 9000, reject NEW_TOKEN frames emitted by clients. Close the connection with error code PROTOCOL_VIOLATION. This must be backported up to 2.6. --- src/quic_rx.c | 16 +++++++++++++++- 1 file changed, 15 insertions(+), 1 deletion(-) diff --git a/src/quic_rx.c b/src/quic_rx.c index b333c13ff96b1..293bda0c0d84b 100644 --- a/src/quic_rx.c +++ b/src/quic_rx.c @@ -915,7 +915,21 @@ static int qc_parse_pkt_frms(struct quic_conn *qc, struct quic_rx_packet *pkt, break; case QUIC_FT_NEW_TOKEN: - /* TODO */ + if (qc_is_listener(qc)) { + TRACE_ERROR("reject NEW_TOKEN frame emitted by client", + QUIC_EV_CONN_PRSHPKT, qc); + + /* RFC 9000 19.7. NEW_TOKEN Frames + * Clients MUST NOT send NEW_TOKEN frames. A server MUST treat receipt + * of a NEW_TOKEN frame as a connection error of type + * PROTOCOL_VIOLATION. + */ + quic_set_connection_close(qc, quic_err_transport(QC_ERR_PROTOCOL_VIOLATION)); + goto err; + } + else { + /* TODO */ + } break; case QUIC_FT_STREAM_8 ... QUIC_FT_STREAM_F: {