drop Initial packets that have a too short Destination Connection ID

internal/protocol/server_parameters.go

@@ -151,3 +151,6 @@ const MinPacingDelay time.Duration = 100 * time.Microsecond
 // so we need to know this value in advance (or encode it into the connection ID).
 // TODO: make this configurable
 const ConnectionIDLen = 8
+
+// MinConnectionIDLenInitial is the minimum length of the destination connection ID on an Initial packet.
+const MinConnectionIDLenInitial = 8

server_tls.go

@@ -137,6 +137,9 @@ func (s *serverTLS) sendConnectionClose(remoteAddr net.Addr, clientHdr *wire.Hea
 }
 
 func (s *serverTLS) handleInitialImpl(remoteAddr net.Addr, hdr *wire.Header, data []byte) (packetHandler, protocol.ConnectionID, error) {
+	if hdr.DestConnectionID.Len() < protocol.MinConnectionIDLenInitial {
+		return nil, nil, errors.New("dropping Initial packet with too short connection ID")
+	}
 	if len(hdr.Raw)+len(data) < protocol.MinInitialPacketSize {
 		return nil, nil, errors.New("dropping too small Initial packet")
 	}

server_tls_test.go

@@ -104,6 +104,16 @@ var _ = Describe("Stateless TLS handling", func() {
 		Expect(conn.dataWritten.Len()).To(BeZero())
 	})
 
+	It("drops packets with a too short connection ID", func() {
+		hdr := &wire.Header{
+			SrcConnectionID:  protocol.ConnectionID{1, 2, 3, 4, 5, 6, 7, 8},
+			DestConnectionID: protocol.ConnectionID{1, 2, 3, 4},
+			PacketNumberLen:  protocol.PacketNumberLen1,
+		}
+		server.HandleInitial(nil, hdr, bytes.Repeat([]byte{0}, protocol.MinInitialPacketSize))
+		Expect(conn.dataWritten.Len()).To(BeZero())
+	})
+
 	It("ignores packets with invalid contents", func() {
 		hdr, data := getPacket(&wire.StreamFrame{StreamID: 10, Offset: 11, Data: []byte("foobar")})
 		server.HandleInitial(nil, hdr, data)