Nature of issue: Crash (Denial of Service) Source of issue: Dependent package (ring) Affected versions of qcp: 0.1.0-0.3.2 Recommendation: Upgrade to qcp 0.3.3 or later
All versions of qcp from 0.1.0 to 0.3.2 are affected, but only if built with runtime overflow checks.
RUSTFLAGS
, or in your Cargo.toml profile.We recommend you upgrade to qcp 0.3.3 or later. Users upgrading from versions prior to 0.3.0 should note that an incompatible protocol change was introduced in version 0.3.0, so should stage their upgrade carefully.
Alternatively, it is possible to avoid upgrading by rebuilding qcp locally. The following alternative mitigations have been identified:
* Rebuild locally with runtime overflow checks disabled
* Rebuild locally using a fixed version of the ring
dependency (0.17.12 or later).
The upstream advisory describes a crash in the implementation of the QUIC protocol that can be induced by a specially-crafted packet, and which happens naturally approximately every 1 in 2**32 packets sent and/or received.
The crash only happens when runtime overflow checking is enabled. Note that the upstream advisory describes the overflow check causing this issue as "unwanted". Their response, to remove the overflow check in one place, does not introduce any additional issue.
During qcp file transfer sessions, it is possible for an attacker to send a specially-crafted packet that could trigger this issue. * In that case, and only if qcp was built with runtime overflow checks enabled, the effect is a Rust panic which immediately aborts the transfer. There is no additional impact on system resources at either end, nor on other file transfers in progress. * As qcp runs a separate process for every connected user, the impact of the attack is limited to a single session.
The underlying issue may also affect particularly large file transfers. The maximum TLS packet size is 16KB, so 2**32 packets will transfer up to 68TB (including the protocol/retransmit overhead). Again, this is only the case if qcp was built with runtime overflow checks enabled.
As of the time of writing, we are not aware of any reports of this issue being exploited.
Upstream advisories: * RUSTSEC-2025-0009 * https://github.com/advisories/GHSA-4p46-pwfr-66x6
{ "nvd_published_at": null, "cwe_ids": [], "severity": "MODERATE", "github_reviewed": true, "github_reviewed_at": "2025-03-08T01:30:18Z" }