Opened 3 years ago

Closed 3 years ago

Last modified 2 years ago

#2446 closed defect (fixed)

QUIC: ngx_quic_send_new_token was broken by 3550b00d9dc8 (nginx 1.23.3)

Reported by: bullerdu@… Owned by:
Priority: minor Milestone:
Component: documentation Version: 1.23.x
Keywords: Cc:
uname -a: Linux cdn-dev011164234021.na61 4.19.91-008.ali4000.alios7.x86_64 #1 SMP Fri Sep 4 17:33:26 CST 2020 x86_64 x86_64 x86_64 GNU/Linux
nginx -V: nginx version: nginx/1.19.1
built by gcc 9.3.0 (GCC)
built with OpenSSL 1.1.0 (compatible; BoringSSL) (running with BoringSSL)
TLS SNI support enabled
configure arguments: --with-debug --with-http_v3_module --prefix=/home/yefei.dyf/nginx --with-cc-opt=-I/home/yefei.dyf/boringssl/include --with-ld-opt='-L/home/yefei.dyf/boringssl/ssl -L/home/yefei.dyf/boringssl/crypto' --with-google_perftools_module

Description (last modified by Roman Arutyunyan)

The ngx_quic_send_new_token function was broken by commit 3550b00d9dc8 (https://hg.nginx.org/nginx-quic/rev/3550b00d9dc8), because tbuf would be free when the function returns, but token.data was not sent.

QUIC: avoided pool usage in token calculation.

ngx_int_t
ngx_quic_send_new_token(ngx_connection_t *c, ngx_quic_path_t *path)
{
    time_t                  expires;
    ngx_str_t               token;
    ngx_quic_frame_t       *frame;
    ngx_quic_connection_t  *qc;

    u_char                  tbuf[NGX_QUIC_TOKEN_BUF_SIZE];

    qc = ngx_quic_get_connection(c);

    expires = ngx_time() + NGX_QUIC_NEW_TOKEN_LIFETIME;

    token.data = tbuf;
    token.len = NGX_QUIC_TOKEN_BUF_SIZE;

    if (ngx_quic_new_token(c->log, path->sockaddr, path->socklen,
                           qc->conf->av_token_key, &token, NULL, expires, 0)
        != NGX_OK)
    {
        return NGX_ERROR;
    }

    frame = ngx_quic_alloc_frame(c);
    if (frame == NULL) {
        return NGX_ERROR;
    }

    frame->level = ssl_encryption_application;
    frame->type = NGX_QUIC_FT_NEW_TOKEN;
    frame->u.token.length = token.len;
    frame->u.token.data = token.data;

    ngx_quic_queue_frame(qc, frame);

    return NGX_OK;
}

Change History (2)

comment:1 by Roman Arutyunyan, 3 years ago

Description: modified (diff)
Resolution: fixed
Status: newclosed

Thanks for reporting this. Fixed by this commit:

https://hg.nginx.org/nginx-quic/rev/def8e398d7c5

comment:2 by Roman Arutyunyan <arut@…>, 2 years ago

In 9072:def8e398d7c5/nginx:

QUIC: fixed broken token in NEW_TOKEN (ticket #2446).

Previously, since 3550b00d9dc8, the token was allocated on stack, to get
rid of pool usage. Now the token is allocated by ngx_quic_copy_buffer()
in QUIC buffers, also used for STREAM, CRYPTO and ACK frames.

Note: See TracTickets for help on using tickets.