gr1ffon/quic-go
1
0
Fork 0
forked from quic-go/quic-go
Code Pull Requests Activity

http3: reject duplicate control streams opened by the client (#4344)

Browse Source
This commit is contained in:
Marten Seemann
2024-03-03 18:22:52 +10:30
committed by GitHub
parent c5f7096f00
commit d41c0b68cd
2 changed files with 38 additions and 1 deletions
Download Patch File Download Diff File Expand all files Collapse all files

8
http3/server.go
View File

@@ -12,6 +12,7 @@ import (
"strconv"
"strings"
"sync"
"sync/atomic"
"time"
"github.com/quic-go/quic-go"
@@ -498,6 +499,8 @@ func (s *Server) handleConn(conn quic.Connection) error {
}
func (s *Server) handleUnidirectionalStreams(conn quic.Connection) {
var rcvdControlStream atomic.Bool
for {
str, err := conn.AcceptUniStream(context.Background())
if err != nil {
@@ -531,6 +534,11 @@ func (s *Server) handleUnidirectionalStreams(conn quic.Connection) {
str.CancelRead(quic.StreamErrorCode(ErrCodeStreamCreationError))
return
}
// Only a single control stream is allowed.
if isFirstControlStr := rcvdControlStream.CompareAndSwap(false, true); !isFirstControlStr {
conn.CloseWithError(quic.ApplicationErrorCode(ErrCodeStreamCreationError), "duplicate control stream")
return
}
f, err := parseNextFrame(str, nil)
if err != nil {
conn.CloseWithError(quic.ApplicationErrorCode(ErrCodeFrameError), "")