An attacker can cause its peer to run out of memory by sending a large number of NEWCONNECTIONID frames that retire old connection IDs. The receiver is supposed to respond to each retirement frame with a RETIRECONNECTIONID frame. The attacker can prevent the receiver from sending out (the vast majority of) these RETIRECONNECTIONID frames by collapsing the peers congestion window (by selectively acknowledging received packets) and by manipulating the peer's RTT estimate.
{ "review_status": "REVIEWED", "url": "https://pkg.go.dev/vuln/GO-2024-2682" }
{ "imports": [ { "path": "github.com/quic-go/quic-go", "symbols": [ "Dial", "DialAddr", "DialAddrEarly", "DialEarly", "Listen", "ListenAddr", "ListenAddrEarly", "ListenEarly", "Transport.Dial", "Transport.DialEarly", "Transport.Listen", "Transport.ListenEarly", "connIDGenerator.Retire", "connIDGenerator.SetMaxActiveConnIDs", "connIDManager.Add", "connIDManager.Get", "connection.AcceptStream", "connection.AcceptUniStream", "connection.OpenStream", "connection.OpenStreamSync", "connection.OpenUniStream", "connection.OpenUniStreamSync", "connection.run", "framerI.AppendStreamFrames", "framerI.QueueControlFrame", "packetPacker.AppendPacket", "packetPacker.MaybePackProbePacket", "packetPacker.PackAckOnlyPacket", "packetPacker.PackApplicationClose", "packetPacker.PackCoalescedPacket", "packetPacker.PackConnectionClose", "packetPacker.PackMTUProbePacket", "receiveStream.CancelRead", "receiveStream.CloseRemote", "receiveStream.Read", "sendStream.CancelWrite", "streamsMap.AcceptStream", "streamsMap.AcceptUniStream", "streamsMap.DeleteStream", "streamsMap.HandleMaxStreamsFrame", "streamsMap.OpenStream", "streamsMap.OpenStreamSync", "streamsMap.OpenUniStream", "streamsMap.OpenUniStreamSync", "streamsMap.UpdateLimits", "windowUpdateQueue.QueueAll" ] } ] }