quic: zero-initialize scid and odcid in port_default_packet_handler#30611
Closed
programsurf wants to merge 1 commit into
Closed
quic: zero-initialize scid and odcid in port_default_packet_handler#30611programsurf wants to merge 1 commit into
programsurf wants to merge 1 commit into
Conversation
10ae8b5 to
cb09832
Compare
Sashan
requested changes
Mar 27, 2026
Sashan
left a comment
Contributor
There was a problem hiding this comment.
Thank you for spotting the issue. IMO the change can be more radical here. the scid is not needed at all at least it seems to me.
thanks for your work.
cb09832 to
97f2ac1
Compare
Remove the scid variable entirely from port_default_packet_handler()
and all functions that accept it as a parameter. The scid was never
used meaningfully — cur_remote_dcid is set later during the handshake.
Remove scid parameter from:
- port_bind_channel()
- port_validate_token()
- ossl_quic_channel_on_new_conn()
- ossl_quic_bind_channel()
- ch_on_new_conn_common()
Remove the cur_remote_dcid = *peer_scid assignment in
ch_on_new_conn_common() as it wrote dead data.
CWE-457
Reported-by: Sunwoo Lee <sunwoolee@kentech.ac.kr>
CLA: trivial
97f2ac1 to
2dba5ff
Compare
2 tasks
Sashan
approved these changes
Mar 28, 2026
Contributor
There was a problem hiding this comment.
changes look good. thank you very much.
to committers: technically it's a cleanup change, but I think it's worth to be back ported to release branches too. if you agree just add release branch tags. thanks.
EDIT: change/cleanup is relevant to QUIC-server only, the QUIC server has been shipped with 3.5, thus the relevant branches are: 3.5, 3.6 and 4.0 the
fwh-dc
approved these changes
Apr 3, 2026
Collaborator
|
This pull request is ready to merge |
Member
|
OK with CLA: trivial as it is just removing unused code. |
t8m
approved these changes
Apr 8, 2026
Member
|
Merged to the master, 4.0, 3.6 and 3.5 branches. Thank you for your contribution. |
openssl-machine
pushed a commit
that referenced
this pull request
Apr 8, 2026
Remove the scid variable entirely from port_default_packet_handler()
and all functions that accept it as a parameter. The scid was never
used meaningfully — cur_remote_dcid is set later during the handshake.
Remove scid parameter from:
- port_bind_channel()
- port_validate_token()
- ossl_quic_channel_on_new_conn()
- ossl_quic_bind_channel()
- ch_on_new_conn_common()
Remove the cur_remote_dcid = *peer_scid assignment in
ch_on_new_conn_common() as it wrote dead data.
CWE-457
Reported-by: Sunwoo Lee <sunwoolee@kentech.ac.kr>
CLA: trivial
Reviewed-by: Saša Nedvědický <sashan@openssl.org>
Reviewed-by: Frederik Wedel-Heinen <fwh.openssl@gmail.com>
Reviewed-by: Tomas Mraz <tomas@openssl.foundation>
MergeDate: Wed Apr 8 10:21:55 2026
(Merged from #30611)
(cherry picked from commit 275dab5)
openssl-machine
pushed a commit
that referenced
this pull request
Apr 8, 2026
Remove the scid variable entirely from port_default_packet_handler()
and all functions that accept it as a parameter. The scid was never
used meaningfully — cur_remote_dcid is set later during the handshake.
Remove scid parameter from:
- port_bind_channel()
- port_validate_token()
- ossl_quic_channel_on_new_conn()
- ossl_quic_bind_channel()
- ch_on_new_conn_common()
Remove the cur_remote_dcid = *peer_scid assignment in
ch_on_new_conn_common() as it wrote dead data.
CWE-457
Reported-by: Sunwoo Lee <sunwoolee@kentech.ac.kr>
CLA: trivial
Reviewed-by: Saša Nedvědický <sashan@openssl.org>
Reviewed-by: Frederik Wedel-Heinen <fwh.openssl@gmail.com>
Reviewed-by: Tomas Mraz <tomas@openssl.foundation>
MergeDate: Wed Apr 8 10:21:55 2026
(Merged from #30611)
(cherry picked from commit 275dab5)
openssl-machine
pushed a commit
that referenced
this pull request
Apr 8, 2026
Remove the scid variable entirely from port_default_packet_handler()
and all functions that accept it as a parameter. The scid was never
used meaningfully — cur_remote_dcid is set later during the handshake.
Remove scid parameter from:
- port_bind_channel()
- port_validate_token()
- ossl_quic_channel_on_new_conn()
- ossl_quic_bind_channel()
- ch_on_new_conn_common()
Remove the cur_remote_dcid = *peer_scid assignment in
ch_on_new_conn_common() as it wrote dead data.
CWE-457
Reported-by: Sunwoo Lee <sunwoolee@kentech.ac.kr>
CLA: trivial
Reviewed-by: Saša Nedvědický <sashan@openssl.org>
Reviewed-by: Frederik Wedel-Heinen <fwh.openssl@gmail.com>
Reviewed-by: Tomas Mraz <tomas@openssl.foundation>
MergeDate: Wed Apr 8 10:21:55 2026
(Merged from #30611)
openssl-machine
pushed a commit
that referenced
this pull request
Apr 8, 2026
Remove the scid variable entirely from port_default_packet_handler()
and all functions that accept it as a parameter. The scid was never
used meaningfully — cur_remote_dcid is set later during the handshake.
Remove scid parameter from:
- port_bind_channel()
- port_validate_token()
- ossl_quic_channel_on_new_conn()
- ossl_quic_bind_channel()
- ch_on_new_conn_common()
Remove the cur_remote_dcid = *peer_scid assignment in
ch_on_new_conn_common() as it wrote dead data.
CWE-457
Reported-by: Sunwoo Lee <sunwoolee@kentech.ac.kr>
CLA: trivial
Reviewed-by: Saša Nedvědický <sashan@openssl.org>
Reviewed-by: Frederik Wedel-Heinen <fwh.openssl@gmail.com>
Reviewed-by: Tomas Mraz <tomas@openssl.foundation>
MergeDate: Wed Apr 8 10:21:55 2026
(Merged from #30611)
(cherry picked from commit 275dab5)
This was referenced Apr 13, 2026
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
5 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
QUIC_CONN_ID scid and odcid are declared without initialization.
When validate_addr == 0 and the client's Initial has no token,
port_validate_token() is never called, so scid is never written.
The uninitialized scid is passed to port_bind_channel() ->
ossl_quic_channel_on_new_conn(), where garbage data is copied
to ch->cur_remote_dcid.
Zero-initialize both variables to prevent use of uninitialized
memory.
CWE-457
Reported-by: Sunwoo Lee sunwoolee@kentech.ac.kr
CLA: trivial
Checklist