reject NEW_CONNECTION_ID frames when using zero-length connection IDs (#4878)

2025-01-15 19:30:08 -08:00
parent a2dccf54ca
commit 150b955d06
2 changed files with 26 additions and 0 deletions
--- a/conn_id_manager.go
+++ b/conn_id_manager.go
@@ -66,6 +66,12 @@ func (h *connIDManager) Add(f *wire.NewConnectionIDFrame) error {
 }

 func (h *connIDManager) add(f *wire.NewConnectionIDFrame) error {
+	if h.activeConnectionID.Len() == 0 {
+		return &qerr.TransportError{
+			ErrorCode:    qerr.ProtocolViolation,
+			ErrorMessage: "received NEW_CONNECTION_ID frame but zero-length connection IDs are in use",
+		}
+	}
 	// If the NEW_CONNECTION_ID frame is reordered, such that its sequence number is smaller than the currently active
 	// connection ID or if it was already retired, send the RETIRE_CONNECTION_ID frame immediately.
 	if f.SequenceNumber < h.activeSequenceNumber || f.SequenceNumber < h.highestRetired {
--- a/conn_id_manager_test.go
+++ b/conn_id_manager_test.go
@@ -209,6 +209,26 @@ func TestConnIDManagerConnIDRotation(t *testing.T) {
 	require.Equal(t, []wire.Frame{&wire.RetireConnectionIDFrame{SequenceNumber: 2}}, frameQueue)
 }

+func TestConnIDManagerZeroLengthConnectionID(t *testing.T) {
+	m := newConnIDManager(
+		protocol.ConnectionID{},
+		func(protocol.StatelessResetToken) {},
+		func(protocol.StatelessResetToken) {},
+		func(f wire.Frame) {},
+	)
+	require.Equal(t, protocol.ConnectionID{}, m.Get())
+	for i := 0; i < 5*protocol.PacketsPerConnectionID; i++ {
+		m.SentPacket()
+		require.Equal(t, protocol.ConnectionID{}, m.Get())
+	}
+
+	require.ErrorIs(t, m.Add(&wire.NewConnectionIDFrame{
+		SequenceNumber:      1,
+		ConnectionID:        protocol.ConnectionID{},
+		StatelessResetToken: protocol.StatelessResetToken{16, 15, 14, 13, 12, 11, 10, 9, 8, 7, 6, 5, 4, 3, 2, 1},
+	}), &qerr.TransportError{ErrorCode: qerr.ProtocolViolation})
+}
+
 func TestConnIDManagerClose(t *testing.T) {
 	var addedTokens, removedTokens []protocol.StatelessResetToken
 	m := newConnIDManager(