From ef89e7aa1775894f0aac4bf37f8cb1c484740599 Mon Sep 17 00:00:00 2001
From: Marten Seemann <martenseemann@gmail.com>
Date: Fri, 8 Dec 2017 12:37:04 +0700
Subject: [PATCH] drop Initial packets that don't fulfill the min size
 requirement

---
 server_tls.go      |  5 ++++-
 server_tls_test.go | 15 +++++++++++++--
 2 files changed, 17 insertions(+), 3 deletions(-)

diff --git a/server_tls.go b/server_tls.go
index 860f3e42..a40a8f57 100644
--- a/server_tls.go
+++ b/server_tls.go
@@ -2,6 +2,7 @@ package quic
 
 import (
 	"crypto/tls"
+	"errors"
 	"fmt"
 	"net"
 
@@ -98,7 +99,9 @@ func (s *serverTLS) newMintConnImpl(bc *handshake.CryptoStreamConn, v protocol.V
 }
 
 func (s *serverTLS) handleInitialImpl(remoteAddr net.Addr, hdr *wire.Header, data []byte) (packetHandler, error) {
-	// TODO: check length requirement
+	if len(hdr.Raw)+len(data) < protocol.MinInitialPacketSize {
+		return nil, errors.New("dropping too small Initial packet")
+	}
 	// check version, if not matching send VNP
 	if !protocol.IsSupportedVersion(s.supportedVersions, hdr.Version) {
 		utils.Debugf("Client offered version %s, sending VersionNegotiationPacket", hdr.Version)
diff --git a/server_tls_test.go b/server_tls_test.go
index 5fa338e8..9c8d00ed 100644
--- a/server_tls_test.go
+++ b/server_tls_test.go
@@ -58,11 +58,15 @@ var _ = Describe("Stateless TLS handling", func() {
 		buf := &bytes.Buffer{}
 		err = f.Write(buf, protocol.VersionTLS)
 		Expect(err).ToNot(HaveOccurred())
-		return hdr, aead.Seal(nil, buf.Bytes(), 1, hdr.Raw)
+		// pad the packet such that is has exactly the required minimum size
+		buf.Write(bytes.Repeat([]byte{0}, protocol.MinInitialPacketSize-len(hdr.Raw)-aead.Overhead()-buf.Len()))
+		data := aead.Seal(nil, buf.Bytes(), 1, hdr.Raw)
+		Expect(len(hdr.Raw) + len(data)).To(Equal(protocol.MinInitialPacketSize))
+		return hdr, data
 	}
 
 	It("sends a version negotiation packet if it doesn't support the version", func() {
-		server.HandleInitial(nil, &wire.Header{Version: 0x1337}, nil)
+		server.HandleInitial(nil, &wire.Header{Version: 0x1337}, bytes.Repeat([]byte{0}, protocol.MinInitialPacketSize))
 		Expect(conn.dataWritten.Len()).ToNot(BeZero())
 		hdr, err := wire.ParseHeaderSentByServer(bytes.NewReader(conn.dataWritten.Bytes()), protocol.VersionUnknown)
 		Expect(err).ToNot(HaveOccurred())
@@ -70,6 +74,13 @@ var _ = Describe("Stateless TLS handling", func() {
 		Expect(sessionChan).ToNot(Receive())
 	})
 
+	It("drops too small packets", func() {
+		hdr, data := getPacket(&wire.StreamFrame{Data: []byte("Client Hello")})
+		data = data[:len(data)-1] // the packet is now 1 byte too small
+		server.HandleInitial(nil, hdr, data)
+		Expect(conn.dataWritten.Len()).To(BeZero())
+	})
+
 	It("ignores packets with invalid contents", func() {
 		hdr, data := getPacket(&wire.StreamFrame{StreamID: 10, Offset: 11, Data: []byte("foobar")})
 		server.HandleInitial(nil, hdr, data)