Skip to content

FoxIO-LLC/xring-poc

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

1 Commit
 
 
 
 
 
 
 
 
 
 
 
 

Repository files navigation

XRING - XQUIC QPACK Ring Buffer Resize Underflow PoC

This is the supporting code of the blog post available at https://foxio.io/blog/xring-crashing-xquic-with-spec-compliant-qpack-instructions

A remote, unauthenticated client can crash an XQUIC HTTP/3 server with spec-compliant encoder stream instructions. The bug is in xqc_ring_mem_resize (xqc_ring_mem.c): the both-truncated resize branch sizes an old-buffer tail using the new table capacity instead of the old one, causing a 64-byte heap out-of-bounds read followed by a size_t underflow into memcpy.

All versions through v1.9.4 (latest at time of publication) are affected.

Reproduce

./run.sh build      # build the XQUIC v1.9.4 server image
./run.sh start      # start it on udp/8443
./run.sh attack     # send the payload, report server state

Expected:

server: CRASHED (exit=133 oom=false)
cause: glibc _FORTIFY_SOURCE aborted the underflowed memcpy (SIGTRAP)
logs:
*** buffer overflow detected ***: terminated

ASAN (needs Go environment)

./run.sh asan
cd remote-client && go run . -target 127.0.0.1:8444
docker logs xring_xquic_asan

Mitigation

Advertise SETTINGS_QPACK_MAX_TABLE_CAPACITY = 0 to disable the dynamic table.

About

XQUIC QPACK Ring Buffer Resize Underflow PoC

Resources

Stars

0 stars

Watchers

0 watching

Forks

Releases

No releases published

Packages

 
 
 

Contributors