diff --git a/internal/protocol/server_parameters.go b/internal/protocol/server_parameters.go index 961986a2d..92fb0dd27 100644 --- a/internal/protocol/server_parameters.go +++ b/internal/protocol/server_parameters.go @@ -151,3 +151,6 @@ const MinPacingDelay time.Duration = 100 * time.Microsecond // so we need to know this value in advance (or encode it into the connection ID). // TODO: make this configurable const ConnectionIDLen = 8 + +// MinConnectionIDLenInitial is the minimum length of the destination connection ID on an Initial packet. +const MinConnectionIDLenInitial = 8 diff --git a/server_tls.go b/server_tls.go index 8f175a78f..f240b870b 100644 --- a/server_tls.go +++ b/server_tls.go @@ -137,6 +137,9 @@ func (s *serverTLS) sendConnectionClose(remoteAddr net.Addr, clientHdr *wire.Hea } func (s *serverTLS) handleInitialImpl(remoteAddr net.Addr, hdr *wire.Header, data []byte) (packetHandler, protocol.ConnectionID, error) { + if hdr.DestConnectionID.Len() < protocol.MinConnectionIDLenInitial { + return nil, nil, errors.New("dropping Initial packet with too short connection ID") + } if len(hdr.Raw)+len(data) < protocol.MinInitialPacketSize { return nil, nil, errors.New("dropping too small Initial packet") } diff --git a/server_tls_test.go b/server_tls_test.go index 49d3c5241..37dedb65d 100644 --- a/server_tls_test.go +++ b/server_tls_test.go @@ -104,6 +104,16 @@ var _ = Describe("Stateless TLS handling", func() { Expect(conn.dataWritten.Len()).To(BeZero()) }) + It("drops packets with a too short connection ID", func() { + hdr := &wire.Header{ + SrcConnectionID: protocol.ConnectionID{1, 2, 3, 4, 5, 6, 7, 8}, + DestConnectionID: protocol.ConnectionID{1, 2, 3, 4}, + PacketNumberLen: protocol.PacketNumberLen1, + } + server.HandleInitial(nil, hdr, bytes.Repeat([]byte{0}, protocol.MinInitialPacketSize)) + Expect(conn.dataWritten.Len()).To(BeZero()) + }) + It("ignores packets with invalid contents", func() { hdr, data := getPacket(&wire.StreamFrame{StreamID: 10, Offset: 11, Data: []byte("foobar")}) server.HandleInitial(nil, hdr, data)