-
Notifications
You must be signed in to change notification settings - Fork 1.5k
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
bugfix: backport fixes for CVE-2024-24989 and CVE-2024-24990.
- Loading branch information
1 parent
7b7fcbe
commit 9c9495b
Showing
4 changed files
with
76 additions
and
1 deletion.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,36 @@ | ||
commit 5902baf680609f884a1e11ff2b82a0bffb3724cc | ||
Author: Sergey Kandaurov <pluknet@nginx.com> | ||
Date: Wed Feb 14 15:55:34 2024 +0400 | ||
|
||
QUIC: trial packet decryption in response to invalid key update. | ||
|
||
Inspired by RFC 9001, Section 6.3, trial packet decryption with the current | ||
keys is now used to avoid a timing side-channel signal. Further, this fixes | ||
segfault while accessing missing next keys (ticket #2585). | ||
|
||
diff --git a/src/event/quic/ngx_event_quic_protection.c b/src/event/quic/ngx_event_quic_protection.c | ||
index 88e6954cf..8223626b6 100644 | ||
--- a/src/event/quic/ngx_event_quic_protection.c | ||
+++ b/src/event/quic/ngx_event_quic_protection.c | ||
@@ -1144,8 +1144,19 @@ ngx_quic_decrypt(ngx_quic_header_t *pkt, uint64_t *largest_pn) | ||
key_phase = (pkt->flags & NGX_QUIC_PKT_KPHASE) != 0; | ||
|
||
if (key_phase != pkt->key_phase) { | ||
- secret = &pkt->keys->next_key.client; | ||
- pkt->key_update = 1; | ||
+ if (pkt->keys->next_key.client.ctx != NULL) { | ||
+ secret = &pkt->keys->next_key.client; | ||
+ pkt->key_update = 1; | ||
+ | ||
+ } else { | ||
+ /* | ||
+ * RFC 9001, 6.3. Timing of Receive Key Generation. | ||
+ * | ||
+ * Trial decryption to avoid timing side-channel. | ||
+ */ | ||
+ ngx_log_debug0(NGX_LOG_DEBUG_EVENT, pkt->log, 0, | ||
+ "quic next key missing"); | ||
+ } | ||
} | ||
} | ||
|
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,27 @@ | ||
commit 5818f8a6693b3c0d95021f2ee58b69dcf848911c | ||
Author: Roman Arutyunyan <arut@nginx.com> | ||
Date: Wed Feb 14 15:55:37 2024 +0400 | ||
|
||
QUIC: fixed stream cleanup (ticket #2586). | ||
|
||
Stream connection cleanup handler ngx_quic_stream_cleanup_handler() calls | ||
ngx_quic_shutdown_stream() after which it resets the pointer from quic stream | ||
to the connection (sc->connection = NULL). Previously if this call failed, | ||
sc->connection retained the old value, while the connection was freed by the | ||
application code. This resulted later in a second attempt to close the freed | ||
connection, which lead to allocator double free error. | ||
|
||
The fix is to reset the sc->connection pointer in case of error. | ||
|
||
diff --git a/src/event/quic/ngx_event_quic_streams.c b/src/event/quic/ngx_event_quic_streams.c | ||
index df04d0f07..178b805e4 100644 | ||
--- a/src/event/quic/ngx_event_quic_streams.c | ||
+++ b/src/event/quic/ngx_event_quic_streams.c | ||
@@ -1097,6 +1097,7 @@ ngx_quic_stream_cleanup_handler(void *data) | ||
"quic stream id:0x%xL cleanup", qs->id); | ||
|
||
if (ngx_quic_shutdown_stream(c, NGX_RDWR_SHUTDOWN) != NGX_OK) { | ||
+ qs->connection = NULL; | ||
goto failed; | ||
} | ||
|
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -1,7 +1,7 @@ | ||
#!/bin/bash | ||
|
||
main_ver=1.25.3 | ||
minor_ver=1 | ||
minor_ver=2 | ||
version=$main_ver.$minor_ver | ||
echo $version | ||
|