Impact
Experimenting with cargo fuzz in #1764 immediately revealed a possible subtraction underflow in this line
let token = Self::opt(decoder.decode(decoder.remaining() - expansion))?;
when decoder.remaining(), i.e., the leftover bytes in the incoming packet, is less than expansion. One input that triggers this crash is [179, 255, 0, 0, 32, 0, 0], but there are many others.
A misbehaving server can use this as a packet-of-death to crash the neqo stack (and possibly Fx?) by sending a malformed Retry packet in response to a QUIC Client Initial (for example).
Patches
A fix to the bug was merged in b3cf65f
Workarounds
None.
References
https://bugzilla.mozilla.org/show_bug.cgi?id=1886929
Impact
Experimenting with
cargo fuzzin #1764 immediately revealed a possible subtraction underflow in this linewhen
decoder.remaining(), i.e., the leftover bytes in the incoming packet, is less thanexpansion. One input that triggers this crash is[179, 255, 0, 0, 32, 0, 0], but there are many others.A misbehaving server can use this as a packet-of-death to crash the neqo stack (and possibly Fx?) by sending a malformed
Retrypacket in response to a QUIC Client Initial (for example).Patches
A fix to the bug was merged in b3cf65f
Workarounds
None.
References
https://bugzilla.mozilla.org/show_bug.cgi?id=1886929