crypto/tls: panic when processing partial post-handshake message in QUICConn.HandleData

[neild]

Once the TLS handshake completes, QUICConn.HandleData buffers data and passes it to handlePostHandshakeMessage every time the buffer contains a complete message. The size check is wrong, however, so it can pass along a partial message, triggering a panic when handlePostHandshakeMessage tries to read the remainder of the message.

In addition, HandleData doesn't limit the amount of data it can buffer. It should reject messages larger than maxHandshake.

Thanks to @marten-seemann for reporting this issue.

Normally, we'd consider this a PRIVATE track vulnerability, but this is a very new API and the only known user (quic-go) has already released a workaround in a patch release, so we're calling it PUBLIC track.

The panic due to partial messages is CVE-2023-39321.
The lack of a limit on buffered post-handshake data is CVE-2023-39322.

[gopherbot]

Change https://go.dev/cl/522595 mentions this issue: crypto/tls: QUIC: fix panics when processing post-handshake messages

[neild]

@gopherbot please backport to 1.21. This is a security vulnerability.

[gopherbot]

Backport issue(s) opened: #62290 (for 1.21).

Remember to create the cherry-pick CL(s) as soon as the patch is submitted to master, according to https://go.dev/wiki/MinorReleases.

[gopherbot]

Change https://go.dev/cl/523039 mentions this issue: [release-branch.go1.21] crypto/tls: QUIC: fix panics when processing post-handshake messages

[neild]

Suggested release note:

crypto/tls: panic when processing post-handshake message on QUIC connections

Processing an incomplete post-handshake message for a QUIC connection caused a panic.

Thanks to Marten Seemann for reporting this issue.

This is CVE-2023-39321 and CVE-2023-39322 and Go issue https://go.dev/issue/62266.