Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
Fix race condition between 0-RTT and Incoming
Closes quinn-rs#1820 The fix: - Endpoint now maintains a slab with an entry for each pending Incoming to buffer received data. - ConnectionIndex now maps initial DCID to that slab key immediately upon construction of Incoming. - If Incoming is accepted, association is overridden with association with ConnectionHandle, and all buffered datagrams are fed to newly constructed Connection. - If Incoming is refused/retried/ignored, or accepting errors, association and slab entry are cleaned up to prevent memory leak. Additional considerations: - The Incoming::ignore operation can no longer be implemented as just dropping it. To help prevent incorrect API usage, proto::Incoming is modified to log a warning if it is dropped without being passed to Endpoint::accept/refuse/retry/ignore. - Three things protect against memory exhaustion attacks here: 1. The MAX_INCOMING_CONNECTIONS limit is moved from quinn to proto, limiting the number of concurrent incoming connections for which datagrams will be buffered before the application decides what to do with them. 2. Per-incoming buffered data is limited to the maximum initially receivable stream data as per the transport parameters, plus one datagram, after which subsequent packets are discarded if received in these conditions. 3. The sum total of all incoming buffered data is limited to a new MAX_ALL_INCOMING_BUFFERED constant, after which subsequence packets are discarded if received in these conditions.
- Loading branch information