BUG/MAJOR: quic: Possible crash when processing 1-RTT during 0-RTT session
This bug was revealed by some C1 interop tests (heavy hanshake packet
corruption) when receiving 1-RTT packets with a key phase update.
This lead the packet to be decrypted with the next key phase secrets.
But this latter is initialized only after the handshake is complete.
In fact, 1-RTT must never be processed before the handshake is complete.
Relying on the "qc->mux_state == QC_MUX_NULL" condition to check the
handshake is complete is wrong during 0-RTT sessions when the mux
is initialized before the handshake is complete.
Must be backported to 2.7 and 2.6.
diff --git a/src/quic_conn.c b/src/quic_conn.c
index 907ee98..79c2013 100644
--- a/src/quic_conn.c
+++ b/src/quic_conn.c
@@ -4035,6 +4035,11 @@
goto cant_rm_hp;
}
+ if (tel == QUIC_TLS_ENC_LEVEL_APP && qc->state < QUIC_HS_ST_COMPLETE) {
+ TRACE_DEVEL("handshake not complete", QUIC_EV_CONN_TRMHP, qc);
+ goto cant_rm_hp;
+ }
+
/* check if the connection layer is ready before using app level */
if ((tel == QUIC_TLS_ENC_LEVEL_APP || tel == QUIC_TLS_ENC_LEVEL_EARLY_DATA) &&
qc->mux_state == QC_MUX_NULL) {