Issue 696887 link

Starred by 2 users

Issue metadata

Status:	Fixed
Owner:	█ danzh@chromium.org Last visit > 30 days ago
Closed:	Dec 2017
Cc:	rch@chromium.org █ danzh@chromium.org
Components:	Internals>Network>QUIC
EstimatedDays:	----
NextAction:	----
OS:	All
Pri:	2
Type:	Bug
Via-Wizard-NetworkDownloading Needs-Triage-M56

QUIC accepts STREAM frames with data overflowing the maximum offset

Reported by martense...@gmail.com, Feb 28 2017

Issue description

UserAgent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_12_3) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/56.0.2924.87 Safari/537.36

Example URL:

Steps to reproduce the problem:
QUIC accepts STREAM frames with an offset close to the maximum offset (max uint64), as long as the sum of the offset and the data contained in that frame overflows the uint64.

Chrome seems to store these frames until the corresponding stream is closed, allowing a peer to consume more memory than advertised by the flow control window.

What is the expected behavior?
A STREAM frame as described above should have caused a flow control violation.
A better solution is to reject STREAM frames that cause this overflow because according to the spec it's not allowed to send more than 2^64 bytes on a stream.

What went wrong?
see above

Did this work before? N/A 

Chrome version: 56.0.2924.87  Channel: stable
OS Version: OS X 10.12.3
Flash Version: 

quic-go had the same issue, see here: https://github.com/lucas-clemente/quic-go/issues/452

Comment 1 by nyerramilli@chromium.org, Feb 28 2017

Labels: Needs-Triage-M56

Comment 2 by xunji...@chromium.org, Feb 28 2017

Cc: rch@chromium.org
Components: -Internals>Network Internals>Network>QUIC
Labels: -OS-Mac OS-All

Thanks for filing the bug.

According to the bug description, we might need an overflow check on |frame.offset + frame_payload_size| in QuicStream::OnStreamFrame(). Off to Internals>Network>QUIC for triage.

void QuicStream::OnStreamFrame(const QuicStreamFrame& frame) {
  ....
  if (frame_payload_size > 0 &&
      MaybeIncreaseHighestReceivedOffset(frame.offset + frame_payload_size)) {
    if (flow_controller_.FlowControlViolation() ||
        connection_flow_controller_->FlowControlViolation()) {
      CloseConnectionWithDetails(
          QUIC_FLOW_CONTROL_RECEIVED_TOO_MUCH_DATA,
          "Flow control violation after increasing offset");
      return;
    }
  }
}

Comment 3 by rch@chromium.org, Feb 28 2017

Cc: danzh@chromium.org
Owner: danzh@chromium.org

danzh can you take a look?

Comment 4 by danzh@chromium.org, Feb 28 2017

Yes, overflowing (offset + data length) definitely hit implementation limit. However, I *believe* we didn't specify a stream limit in wire spec. According to stream frame wire format, offset itself can be max 64 bit. That's saying, (offset + data_length) can be beyond 2^64. Maybe we should add a limit to max stream length to wire spec?

> reject STREAM frames that cause this overflow because according to the spec it's not allowed to send more than 2^64 bytes on a stream.
This sounds good, and should be added at the beginning of QuicStream::OnStreamFrame() https://cs.chromium.org/chromium/src/net/quic/core/quic_stream.cc?rcl=fcfee3f3e13289a2d72d1e66cbde9f209d169e33&l=87.

BTW, streams of such kind is really really long.

Comment 5 by jri@chromium.org, Feb 28 2017

Good point that the spec doesn't mention a limit -- I've created https://github.com/quicwg/base-drafts/pull/350 to add this limit.

Comment 6 by jri@chromium.org, Feb 28 2017

Status: Assigned (was: Unconfirmed)

Comment 7 by rch@chromium.org, Nov 10 2017

danzh: Has you landed the changes in comment 4?

Project Member

Comment 8 by bugdroid1@chromium.org, Dec 11 2017

The following revision refers to this bug:
  https://chromium.googlesource.com/chromium/src.git/+/fefaf5b1c75275985d1c94aa9c2de30710eaf0c5

commit fefaf5b1c75275985d1c94aa9c2de30710eaf0c5
Author: Dan Zhang <danzh@chromium.org>
Date: Mon Dec 11 17:06:24 2017

Landing Recent QUIC changes until Thu Dec 7 21:51:21 2017
Limit quic stream length to be 2^62. Protected by FLAGS_quic_reloadable_flag_quic_stream_too_long.

Close connection with error when:
1. The stream length reaches max limit during sending.
2. An endpoint receives stream frame and RST frame with offset larger than the limit.

Fix chromium bug  crbug.com/696887 

Merge internal change: 178165587

https://chromium-review.googlesource.com/c/817388/

Use GetQuic{Reloadable,Restart}Flag for feature flag accesses in QUIC.

Merge internal change: 178158996, 178177777

https://chromium-review.googlesource.com/c/818712

Fix QUIC server cert-chain compression bug and resulting bug where server does not drop client cached certs in 2RTT. Protected by FLAGS_quic_reloadable_flag_quic_2rtt_drop_client_cached_certs.

Fix for  crbug.com/723604 . Fixes a typo in QuicCryptoServerConfig::CompressChain() where incorrect params are passed to CertCompressor::CompressChain(). This fix exposes a bug with QUIC 2RTT: if a client sends its first CHLO with cached cert hashes and sends its second CHLO without cached cert hashes, the server now replies to the second CHLO with a REJ containing cached cert hashes when it shouldn't. This incorrect behavior is not present without fixing the aforementioned typo due to lucky coincidence. This CL fixes both the typo and the bug where the server isn't dropping client cached certs after the second CHLO.

Merge internal change: 178117979

https://chromium-review.googlesource.com/c/818747/

Finish QuicTransportVersion -> ParsedQuicVersion refactor

Merge internal change: 178031031

https://chromium-review.googlesource.com/c/817338

Deprecate FLAGS_quic_reloadable_flag_quic_truncate_long_details

Merge internal change: 177911369

https://chromium-review.googlesource.com/c/817588

Refactor QuicFramer to use ParsedQuicVersion

Merge internal change: 177885369

https://chromium-review.googlesource.com/c/817587/

Clean up dead code.

Merge internal change: 177834407

https://chromium-review.googlesource.com/c/817336/

(n/a) Harden ack handling for QUIC, protected by FLAGS_quic_reloadable_flag_quic_strict_ack_handling.

If FLAGS_quic_reloadable_flag_quic_strict_ack_handling is true:
- At sender, avoid sending empty acks.
- At receiver, close connection when an ack frame's first block length is 0, unless the ack is empty. An ack is empty iff largest_observed, first_block_length, num_ack_blocks are all 0.

Verified with clusterfuzz that this fixes http://crbug/786655.

There are many tests sending empty acks(some doing so directly, not via ScopedPacketFlusher), and setting expectations based on that. That's why I am still allowing empty acks to be received in this CL.

Merge internal change: 177753687

https://chromium-review.googlesource.com/c/818708/

QUIC - add flag count for FLAGS_quic_reloadable_flag_quic_enable_hq_deframer.

Needed to verify the new quic/http fork.

n/a (no functional change)

Merge internal change: 177665632

https://chromium-review.googlesource.com/c/817633/

Set NSTP option on Quartc QUIC connections to suppress STOP_WAITING frames. STOP_WAITING frames are going away anyway.

Merge internal change: 177659629

https://chromium-review.googlesource.com/c/818707/

Add code to QUIC TlsHandshakers to create SSL_CTXs

changes to unused TLS code in QUIC

Merge internal change: 177629057

https://chromium-review.googlesource.com/c/817583/

Set encrypters/decrypters when TLS handshake finishes

changes to unused TLS code in QUIC

Merge internal change: 177614234

https://chromium-review.googlesource.com/c/817955/

Deprecate FLAGS_quic_reloadable_flag_quic_enable_version_41.

Merge internal change: 177505836

https://chromium-review.googlesource.com/c/817480/

Add QUIC_PEER_BUG for logging alarming peer behavior.
These behave identically to DLOG(ERROR).

Merge internal change: 177502844

https://chromium-review.googlesource.com/c/818117/

Add key/IV size accessors to QUIC crypters

Merge internal change: 177501208

https://chromium-review.googlesource.com/c/817692/

Use peer class to access QuicConnection’s private member in PacketSavingConnection instead of declaring friend.

Merge internal change: 177497133

https://chromium-review.googlesource.com/c/818055/

Deprecate FLAGS_quic_reloadable_flag_quic_enable_version_38 and  gfe2_reloadable_flag_quic_enable_version_39.

Merge internal change: 177359603

https://chromium-review.googlesource.com/c/817476/

deprecate FLAGS_quic_reloadable_flag_quic_use_net_byte_order_version_label

Merge internal change: 177350890

https://chromium-review.googlesource.com/c/817689/

Remove 4 booleans and the code they were used in from QUIC's Cubic code because they were always true.

n/a (Remove always true booleans)

Merge internal change: 177319308

https://chromium-review.googlesource.com/c/817688/

Deprecate FLAGS_quic_reloadable_flag_quic_use_tls13_cipher_suites

Merge internal change: 177236310

https://chromium-review.googlesource.com/c/817549/

Move includes/dependencies to where needed.

n/a (build only)

Merge internal change: 177064880

https://chromium-review.googlesource.com/c/817548/

Deprecate FLAGS_quic_reloadable_flag_quic_enable_cubic_fixes.  Also deprecates the associated connection options, because they are now useless.

n/a (Flag deprecation)

Merge internal change: 177058367

https://chromium-review.googlesource.com/c/817680/

Deprecate FLAGS_quic_reloadable_flag_quic_send_reset_token_in_shlo.

Merge internal change: 177012460

https://chromium-review.googlesource.com/c/817578/



R=rch@chromium.org

Bug:  786655 , 723604 , 696887 
Cq-Include-Trybots: master.tryserver.chromium.android:android_cronet_tester;master.tryserver.chromium.mac:ios-simulator-cronet
Change-Id: I590980fa64d89d37717fa14546b5c8631f6a2b65
Reviewed-on: https://chromium-review.googlesource.com/817496
Reviewed-by: Ryan Hamilton <rch@chromium.org>
Reviewed-by: Misha Efimov <mef@chromium.org>
Commit-Queue: Dan Zhang <danzh@chromium.org>
Cr-Commit-Position: refs/heads/master@{#523114}
[modify] https://crrev.com/fefaf5b1c75275985d1c94aa9c2de30710eaf0c5/components/cronet/android/test/quic_test_server.cc
[modify] https://crrev.com/fefaf5b1c75275985d1c94aa9c2de30710eaf0c5/components/domain_reliability/quic_error_mapping.cc
[modify] https://crrev.com/fefaf5b1c75275985d1c94aa9c2de30710eaf0c5/components/grpc_support/test/quic_test_server.cc
[modify] https://crrev.com/fefaf5b1c75275985d1c94aa9c2de30710eaf0c5/net/BUILD.gn
[modify] https://crrev.com/fefaf5b1c75275985d1c94aa9c2de30710eaf0c5/net/quic/chromium/bidirectional_stream_quic_impl_unittest.cc
[modify] https://crrev.com/fefaf5b1c75275985d1c94aa9c2de30710eaf0c5/net/quic/chromium/quic_chromium_client_session_test.cc
[modify] https://crrev.com/fefaf5b1c75275985d1c94aa9c2de30710eaf0c5/net/quic/chromium/quic_chromium_client_stream_test.cc
[modify] https://crrev.com/fefaf5b1c75275985d1c94aa9c2de30710eaf0c5/net/quic/chromium/quic_connection_logger.cc
[modify] https://crrev.com/fefaf5b1c75275985d1c94aa9c2de30710eaf0c5/net/quic/chromium/quic_connection_logger.h
[modify] https://crrev.com/fefaf5b1c75275985d1c94aa9c2de30710eaf0c5/net/quic/chromium/quic_end_to_end_unittest.cc
[modify] https://crrev.com/fefaf5b1c75275985d1c94aa9c2de30710eaf0c5/net/quic/chromium/quic_http_stream_test.cc
[modify] https://crrev.com/fefaf5b1c75275985d1c94aa9c2de30710eaf0c5/net/quic/chromium/quic_http_utils.cc
[modify] https://crrev.com/fefaf5b1c75275985d1c94aa9c2de30710eaf0c5/net/quic/chromium/quic_http_utils_test.cc
[modify] https://crrev.com/fefaf5b1c75275985d1c94aa9c2de30710eaf0c5/net/quic/chromium/quic_proxy_client_socket_unittest.cc
[modify] https://crrev.com/fefaf5b1c75275985d1c94aa9c2de30710eaf0c5/net/quic/chromium/quic_stream_factory.cc
[modify] https://crrev.com/fefaf5b1c75275985d1c94aa9c2de30710eaf0c5/net/quic/chromium/quic_test_packet_maker.cc
[modify] https://crrev.com/fefaf5b1c75275985d1c94aa9c2de30710eaf0c5/net/quic/core/congestion_control/bbr_sender.cc
[modify] https://crrev.com/fefaf5b1c75275985d1c94aa9c2de30710eaf0c5/net/quic/core/congestion_control/bbr_sender_test.cc
[delete] https://crrev.com/c77383a50fef36eaa55568379e384ad846066798/net/quic/core/congestion_control/cubic.cc
[delete] https://crrev.com/c77383a50fef36eaa55568379e384ad846066798/net/quic/core/congestion_control/cubic.h
[modify] https://crrev.com/fefaf5b1c75275985d1c94aa9c2de30710eaf0c5/net/quic/core/congestion_control/cubic_bytes.cc
[modify] https://crrev.com/fefaf5b1c75275985d1c94aa9c2de30710eaf0c5/net/quic/core/congestion_control/cubic_bytes.h
[modify] https://crrev.com/fefaf5b1c75275985d1c94aa9c2de30710eaf0c5/net/quic/core/congestion_control/cubic_bytes_test.cc
[delete] https://crrev.com/c77383a50fef36eaa55568379e384ad846066798/net/quic/core/congestion_control/cubic_test.cc
[modify] https://crrev.com/fefaf5b1c75275985d1c94aa9c2de30710eaf0c5/net/quic/core/congestion_control/general_loss_algorithm.cc
[modify] https://crrev.com/fefaf5b1c75275985d1c94aa9c2de30710eaf0c5/net/quic/core/congestion_control/general_loss_algorithm_test.cc
[modify] https://crrev.com/fefaf5b1c75275985d1c94aa9c2de30710eaf0c5/net/quic/core/congestion_control/send_algorithm_interface.cc
[modify] https://crrev.com/fefaf5b1c75275985d1c94aa9c2de30710eaf0c5/net/quic/core/congestion_control/send_algorithm_test.cc
[modify] https://crrev.com/fefaf5b1c75275985d1c94aa9c2de30710eaf0c5/net/quic/core/congestion_control/tcp_cubic_sender_base.cc
[modify] https://crrev.com/fefaf5b1c75275985d1c94aa9c2de30710eaf0c5/net/quic/core/congestion_control/tcp_cubic_sender_bytes.cc
[modify] https://crrev.com/fefaf5b1c75275985d1c94aa9c2de30710eaf0c5/net/quic/core/congestion_control/tcp_cubic_sender_bytes_test.cc
[modify] https://crrev.com/fefaf5b1c75275985d1c94aa9c2de30710eaf0c5/net/quic/core/crypto/aead_base_decrypter.cc
[modify] https://crrev.com/fefaf5b1c75275985d1c94aa9c2de30710eaf0c5/net/quic/core/crypto/aead_base_decrypter.h
[modify] https://crrev.com/fefaf5b1c75275985d1c94aa9c2de30710eaf0c5/net/quic/core/crypto/aead_base_encrypter.cc
[modify] https://crrev.com/fefaf5b1c75275985d1c94aa9c2de30710eaf0c5/net/quic/core/crypto/aead_base_encrypter.h
[modify] https://crrev.com/fefaf5b1c75275985d1c94aa9c2de30710eaf0c5/net/quic/core/crypto/aes_128_gcm_12_decrypter.cc
[modify] https://crrev.com/fefaf5b1c75275985d1c94aa9c2de30710eaf0c5/net/quic/core/crypto/aes_128_gcm_12_decrypter_test.cc
[modify] https://crrev.com/fefaf5b1c75275985d1c94aa9c2de30710eaf0c5/net/quic/core/crypto/aes_128_gcm_decrypter_test.cc
[modify] https://crrev.com/fefaf5b1c75275985d1c94aa9c2de30710eaf0c5/net/quic/core/crypto/aes_256_gcm_decrypter_test.cc
[modify] https://crrev.com/fefaf5b1c75275985d1c94aa9c2de30710eaf0c5/net/quic/core/crypto/chacha20_poly1305_decrypter.cc
[modify] https://crrev.com/fefaf5b1c75275985d1c94aa9c2de30710eaf0c5/net/quic/core/crypto/chacha20_poly1305_decrypter_test.cc
[modify] https://crrev.com/fefaf5b1c75275985d1c94aa9c2de30710eaf0c5/net/quic/core/crypto/chacha20_poly1305_encrypter_test.cc
[modify] https://crrev.com/fefaf5b1c75275985d1c94aa9c2de30710eaf0c5/net/quic/core/crypto/chacha20_poly1305_tls_decrypter_test.cc
[modify] https://crrev.com/fefaf5b1c75275985d1c94aa9c2de30710eaf0c5/net/quic/core/crypto/chacha20_poly1305_tls_encrypter_test.cc
[modify] https://crrev.com/fefaf5b1c75275985d1c94aa9c2de30710eaf0c5/net/quic/core/crypto/crypto_handshake_message.cc
[modify] https://crrev.com/fefaf5b1c75275985d1c94aa9c2de30710eaf0c5/net/quic/core/crypto/crypto_protocol.h
[modify] https://crrev.com/fefaf5b1c75275985d1c94aa9c2de30710eaf0c5/net/quic/core/crypto/crypto_server_test.cc
[modify] https://crrev.com/fefaf5b1c75275985d1c94aa9c2de30710eaf0c5/net/quic/core/crypto/crypto_utils.cc
[modify] https://crrev.com/fefaf5b1c75275985d1c94aa9c2de30710eaf0c5/net/quic/core/crypto/crypto_utils.h
[modify] https://crrev.com/fefaf5b1c75275985d1c94aa9c2de30710eaf0c5/net/quic/core/crypto/crypto_utils_test.cc
[modify] https://crrev.com/fefaf5b1c75275985d1c94aa9c2de30710eaf0c5/net/quic/core/crypto/null_decrypter.cc
[modify] https://crrev.com/fefaf5b1c75275985d1c94aa9c2de30710eaf0c5/net/quic/core/crypto/null_decrypter.h
[modify] https://crrev.com/fefaf5b1c75275985d1c94aa9c2de30710eaf0c5/net/quic/core/crypto/null_encrypter.cc
[modify] https://crrev.com/fefaf5b1c75275985d1c94aa9c2de30710eaf0c5/net/quic/core/crypto/null_encrypter.h
[modify] https://crrev.com/fefaf5b1c75275985d1c94aa9c2de30710eaf0c5/net/quic/core/crypto/quic_crypto_client_config_test.cc
[modify] https://crrev.com/fefaf5b1c75275985d1c94aa9c2de30710eaf0c5/net/quic/core/crypto/quic_crypto_server_config.cc
[modify] https://crrev.com/fefaf5b1c75275985d1c94aa9c2de30710eaf0c5/net/quic/core/crypto/quic_decrypter.cc
[modify] https://crrev.com/fefaf5b1c75275985d1c94aa9c2de30710eaf0c5/net/quic/core/crypto/quic_decrypter.h
[modify] https://crrev.com/fefaf5b1c75275985d1c94aa9c2de30710eaf0c5/net/quic/core/crypto/quic_encrypter.cc
[modify] https://crrev.com/fefaf5b1c75275985d1c94aa9c2de30710eaf0c5/net/quic/core/crypto/quic_encrypter.h
[modify] https://crrev.com/fefaf5b1c75275985d1c94aa9c2de30710eaf0c5/net/quic/core/frames/quic_ack_frame.cc
[modify] https://crrev.com/fefaf5b1c75275985d1c94aa9c2de30710eaf0c5/net/quic/core/frames/quic_frames_test.cc
[modify] https://crrev.com/fefaf5b1c75275985d1c94aa9c2de30710eaf0c5/net/quic/core/quic_config.cc
[modify] https://crrev.com/fefaf5b1c75275985d1c94aa9c2de30710eaf0c5/net/quic/core/quic_connection.cc
[modify] https://crrev.com/fefaf5b1c75275985d1c94aa9c2de30710eaf0c5/net/quic/core/quic_connection.h
[modify] https://crrev.com/fefaf5b1c75275985d1c94aa9c2de30710eaf0c5/net/quic/core/quic_connection_test.cc
[modify] https://crrev.com/fefaf5b1c75275985d1c94aa9c2de30710eaf0c5/net/quic/core/quic_constants.h
[modify] https://crrev.com/fefaf5b1c75275985d1c94aa9c2de30710eaf0c5/net/quic/core/quic_crypto_client_handshaker.cc
[modify] https://crrev.com/fefaf5b1c75275985d1c94aa9c2de30710eaf0c5/net/quic/core/quic_crypto_client_stream_test.cc
[modify] https://crrev.com/fefaf5b1c75275985d1c94aa9c2de30710eaf0c5/net/quic/core/quic_crypto_server_handshaker.cc
[modify] https://crrev.com/fefaf5b1c75275985d1c94aa9c2de30710eaf0c5/net/quic/core/quic_crypto_server_handshaker.h
[modify] https://crrev.com/fefaf5b1c75275985d1c94aa9c2de30710eaf0c5/net/quic/core/quic_crypto_server_stream.h
[modify] https://crrev.com/fefaf5b1c75275985d1c94aa9c2de30710eaf0c5/net/quic/core/quic_crypto_server_stream_test.cc
[modify] https://crrev.com/fefaf5b1c75275985d1c94aa9c2de30710eaf0c5/net/quic/core/quic_error_codes.cc
[modify] https://crrev.com/fefaf5b1c75275985d1c94aa9c2de30710eaf0c5/net/quic/core/quic_error_codes.h
[modify] https://crrev.com/fefaf5b1c75275985d1c94aa9c2de30710eaf0c5/net/quic/core/quic_flags_list.h
[modify] https://crrev.com/fefaf5b1c75275985d1c94aa9c2de30710eaf0c5/net/quic/core/quic_framer.cc
[modify] https://crrev.com/fefaf5b1c75275985d1c94aa9c2de30710eaf0c5/net/quic/core/quic_framer.h
[modify] https://crrev.com/fefaf5b1c75275985d1c94aa9c2de30710eaf0c5/net/quic/core/quic_framer_test.cc
[modify] https://crrev.com/fefaf5b1c75275985d1c94aa9c2de30710eaf0c5/net/quic/core/quic_headers_stream_test.cc
[modify] https://crrev.com/fefaf5b1c75275985d1c94aa9c2de30710eaf0c5/net/quic/core/quic_packet_creator.cc
[modify] https://crrev.com/fefaf5b1c75275985d1c94aa9c2de30710eaf0c5/net/quic/core/quic_packet_creator.h
[modify] https://crrev.com/fefaf5b1c75275985d1c94aa9c2de30710eaf0c5/net/quic/core/quic_packet_creator_test.cc
[modify] https://crrev.com/fefaf5b1c75275985d1c94aa9c2de30710eaf0c5/net/quic/core/quic_packet_generator.cc
[modify] https://crrev.com/fefaf5b1c75275985d1c94aa9c2de30710eaf0c5/net/quic/core/quic_packet_generator.h
[modify] https://crrev.com/fefaf5b1c75275985d1c94aa9c2de30710eaf0c5/net/quic/core/quic_packet_generator_test.cc
[modify] https://crrev.com/fefaf5b1c75275985d1c94aa9c2de30710eaf0c5/net/quic/core/quic_packets.cc
[modify] https://crrev.com/fefaf5b1c75275985d1c94aa9c2de30710eaf0c5/net/quic/core/quic_packets.h
[modify] https://crrev.com/fefaf5b1c75275985d1c94aa9c2de30710eaf0c5/net/quic/core/quic_sent_packet_manager.cc
[modify] https://crrev.com/fefaf5b1c75275985d1c94aa9c2de30710eaf0c5/net/quic/core/quic_server_session_base_test.cc
[modify] https://crrev.com/fefaf5b1c75275985d1c94aa9c2de30710eaf0c5/net/quic/core/quic_session.cc
[modify] https://crrev.com/fefaf5b1c75275985d1c94aa9c2de30710eaf0c5/net/quic/core/quic_session_test.cc
[modify] https://crrev.com/fefaf5b1c75275985d1c94aa9c2de30710eaf0c5/net/quic/core/quic_spdy_session.cc
[modify] https://crrev.com/fefaf5b1c75275985d1c94aa9c2de30710eaf0c5/net/quic/core/quic_spdy_stream_test.cc
[modify] https://crrev.com/fefaf5b1c75275985d1c94aa9c2de30710eaf0c5/net/quic/core/quic_stream.cc
[modify] https://crrev.com/fefaf5b1c75275985d1c94aa9c2de30710eaf0c5/net/quic/core/quic_stream_send_buffer_test.cc
[modify] https://crrev.com/fefaf5b1c75275985d1c94aa9c2de30710eaf0c5/net/quic/core/quic_stream_sequencer_buffer.cc
[modify] https://crrev.com/fefaf5b1c75275985d1c94aa9c2de30710eaf0c5/net/quic/core/quic_stream_sequencer_buffer_test.cc
[modify] https://crrev.com/fefaf5b1c75275985d1c94aa9c2de30710eaf0c5/net/quic/core/quic_stream_test.cc
[modify] https://crrev.com/fefaf5b1c75275985d1c94aa9c2de30710eaf0c5/net/quic/core/quic_version_manager.cc
[modify] https://crrev.com/fefaf5b1c75275985d1c94aa9c2de30710eaf0c5/net/quic/core/quic_version_manager.h
[modify] https://crrev.com/fefaf5b1c75275985d1c94aa9c2de30710eaf0c5/net/quic/core/quic_version_manager_test.cc
[modify] https://crrev.com/fefaf5b1c75275985d1c94aa9c2de30710eaf0c5/net/quic/core/quic_versions.cc
[modify] https://crrev.com/fefaf5b1c75275985d1c94aa9c2de30710eaf0c5/net/quic/core/quic_versions.h
[modify] https://crrev.com/fefaf5b1c75275985d1c94aa9c2de30710eaf0c5/net/quic/core/quic_versions_test.cc
[modify] https://crrev.com/fefaf5b1c75275985d1c94aa9c2de30710eaf0c5/net/quic/core/tls_client_handshaker.cc
[modify] https://crrev.com/fefaf5b1c75275985d1c94aa9c2de30710eaf0c5/net/quic/core/tls_client_handshaker.h
[modify] https://crrev.com/fefaf5b1c75275985d1c94aa9c2de30710eaf0c5/net/quic/core/tls_handshaker.cc
[modify] https://crrev.com/fefaf5b1c75275985d1c94aa9c2de30710eaf0c5/net/quic/core/tls_handshaker.h
[modify] https://crrev.com/fefaf5b1c75275985d1c94aa9c2de30710eaf0c5/net/quic/core/tls_handshaker_test.cc
[modify] https://crrev.com/fefaf5b1c75275985d1c94aa9c2de30710eaf0c5/net/quic/core/tls_server_handshaker.cc
[modify] https://crrev.com/fefaf5b1c75275985d1c94aa9c2de30710eaf0c5/net/quic/core/tls_server_handshaker.h
[modify] https://crrev.com/fefaf5b1c75275985d1c94aa9c2de30710eaf0c5/net/quic/platform/api/quic_bug_tracker.h
[modify] https://crrev.com/fefaf5b1c75275985d1c94aa9c2de30710eaf0c5/net/quic/platform/api/quic_flags.h
[modify] https://crrev.com/fefaf5b1c75275985d1c94aa9c2de30710eaf0c5/net/quic/platform/api/quic_mem_slice_span_test.cc
[modify] https://crrev.com/fefaf5b1c75275985d1c94aa9c2de30710eaf0c5/net/quic/platform/impl/quic_bug_tracker_impl.h
[modify] https://crrev.com/fefaf5b1c75275985d1c94aa9c2de30710eaf0c5/net/quic/platform/impl/quic_flags_impl.h
[modify] https://crrev.com/fefaf5b1c75275985d1c94aa9c2de30710eaf0c5/net/quic/quartc/quartc_factory.cc
[modify] https://crrev.com/fefaf5b1c75275985d1c94aa9c2de30710eaf0c5/net/quic/quartc/quartc_session_test.cc
[modify] https://crrev.com/fefaf5b1c75275985d1c94aa9c2de30710eaf0c5/net/quic/quartc/quartc_stream_test.cc
[modify] https://crrev.com/fefaf5b1c75275985d1c94aa9c2de30710eaf0c5/net/quic/test_tools/mock_decrypter.cc
[modify] https://crrev.com/fefaf5b1c75275985d1c94aa9c2de30710eaf0c5/net/quic/test_tools/mock_decrypter.h
[modify] https://crrev.com/fefaf5b1c75275985d1c94aa9c2de30710eaf0c5/net/quic/test_tools/mock_encrypter.cc
[modify] https://crrev.com/fefaf5b1c75275985d1c94aa9c2de30710eaf0c5/net/quic/test_tools/mock_encrypter.h
[modify] https://crrev.com/fefaf5b1c75275985d1c94aa9c2de30710eaf0c5/net/quic/test_tools/quic_stream_sequencer_peer.cc
[modify] https://crrev.com/fefaf5b1c75275985d1c94aa9c2de30710eaf0c5/net/quic/test_tools/quic_stream_sequencer_peer.h
[modify] https://crrev.com/fefaf5b1c75275985d1c94aa9c2de30710eaf0c5/net/quic/test_tools/quic_test_utils.cc
[modify] https://crrev.com/fefaf5b1c75275985d1c94aa9c2de30710eaf0c5/net/quic/test_tools/quic_test_utils.h
[modify] https://crrev.com/fefaf5b1c75275985d1c94aa9c2de30710eaf0c5/net/quic/test_tools/quic_time_wait_list_manager_peer.cc
[modify] https://crrev.com/fefaf5b1c75275985d1c94aa9c2de30710eaf0c5/net/quic/test_tools/simple_data_producer.cc
[modify] https://crrev.com/fefaf5b1c75275985d1c94aa9c2de30710eaf0c5/net/quic/test_tools/simple_quic_framer.cc
[modify] https://crrev.com/fefaf5b1c75275985d1c94aa9c2de30710eaf0c5/net/quic/test_tools/simple_quic_framer.h
[modify] https://crrev.com/fefaf5b1c75275985d1c94aa9c2de30710eaf0c5/net/quic/test_tools/simulator/quic_endpoint.cc
[modify] https://crrev.com/fefaf5b1c75275985d1c94aa9c2de30710eaf0c5/net/tools/quic/chlo_extractor.cc
[modify] https://crrev.com/fefaf5b1c75275985d1c94aa9c2de30710eaf0c5/net/tools/quic/chlo_extractor.h
[modify] https://crrev.com/fefaf5b1c75275985d1c94aa9c2de30710eaf0c5/net/tools/quic/chlo_extractor_test.cc
[modify] https://crrev.com/fefaf5b1c75275985d1c94aa9c2de30710eaf0c5/net/tools/quic/end_to_end_test.cc
[modify] https://crrev.com/fefaf5b1c75275985d1c94aa9c2de30710eaf0c5/net/tools/quic/quic_client.cc
[modify] https://crrev.com/fefaf5b1c75275985d1c94aa9c2de30710eaf0c5/net/tools/quic/quic_client.h
[modify] https://crrev.com/fefaf5b1c75275985d1c94aa9c2de30710eaf0c5/net/tools/quic/quic_client_base.cc
[modify] https://crrev.com/fefaf5b1c75275985d1c94aa9c2de30710eaf0c5/net/tools/quic/quic_client_base.h
[modify] https://crrev.com/fefaf5b1c75275985d1c94aa9c2de30710eaf0c5/net/tools/quic/quic_client_bin.cc
[modify] https://crrev.com/fefaf5b1c75275985d1c94aa9c2de30710eaf0c5/net/tools/quic/quic_client_test.cc
[modify] https://crrev.com/fefaf5b1c75275985d1c94aa9c2de30710eaf0c5/net/tools/quic/quic_dispatcher.cc
[modify] https://crrev.com/fefaf5b1c75275985d1c94aa9c2de30710eaf0c5/net/tools/quic/quic_dispatcher.h
[modify] https://crrev.com/fefaf5b1c75275985d1c94aa9c2de30710eaf0c5/net/tools/quic/quic_dispatcher_test.cc
[modify] https://crrev.com/fefaf5b1c75275985d1c94aa9c2de30710eaf0c5/net/tools/quic/quic_http_response_cache.h
[modify] https://crrev.com/fefaf5b1c75275985d1c94aa9c2de30710eaf0c5/net/tools/quic/quic_packet_printer_bin.cc
[modify] https://crrev.com/fefaf5b1c75275985d1c94aa9c2de30710eaf0c5/net/tools/quic/quic_server.cc
[modify] https://crrev.com/fefaf5b1c75275985d1c94aa9c2de30710eaf0c5/net/tools/quic/quic_server.h
[modify] https://crrev.com/fefaf5b1c75275985d1c94aa9c2de30710eaf0c5/net/tools/quic/quic_server_bin.cc
[modify] https://crrev.com/fefaf5b1c75275985d1c94aa9c2de30710eaf0c5/net/tools/quic/quic_server_test.cc
[modify] https://crrev.com/fefaf5b1c75275985d1c94aa9c2de30710eaf0c5/net/tools/quic/quic_simple_client.cc
[modify] https://crrev.com/fefaf5b1c75275985d1c94aa9c2de30710eaf0c5/net/tools/quic/quic_simple_client.h
[modify] https://crrev.com/fefaf5b1c75275985d1c94aa9c2de30710eaf0c5/net/tools/quic/quic_simple_client_bin.cc
[modify] https://crrev.com/fefaf5b1c75275985d1c94aa9c2de30710eaf0c5/net/tools/quic/quic_simple_client_test.cc
[modify] https://crrev.com/fefaf5b1c75275985d1c94aa9c2de30710eaf0c5/net/tools/quic/quic_simple_dispatcher.cc
[modify] https://crrev.com/fefaf5b1c75275985d1c94aa9c2de30710eaf0c5/net/tools/quic/quic_simple_server.cc
[modify] https://crrev.com/fefaf5b1c75275985d1c94aa9c2de30710eaf0c5/net/tools/quic/quic_simple_server.h
[modify] https://crrev.com/fefaf5b1c75275985d1c94aa9c2de30710eaf0c5/net/tools/quic/quic_simple_server_bin.cc
[modify] https://crrev.com/fefaf5b1c75275985d1c94aa9c2de30710eaf0c5/net/tools/quic/quic_simple_server_session.cc
[modify] https://crrev.com/fefaf5b1c75275985d1c94aa9c2de30710eaf0c5/net/tools/quic/quic_simple_server_session_test.cc
[modify] https://crrev.com/fefaf5b1c75275985d1c94aa9c2de30710eaf0c5/net/tools/quic/quic_simple_server_stream_test.cc
[modify] https://crrev.com/fefaf5b1c75275985d1c94aa9c2de30710eaf0c5/net/tools/quic/quic_simple_server_test.cc
[modify] https://crrev.com/fefaf5b1c75275985d1c94aa9c2de30710eaf0c5/net/tools/quic/quic_spdy_client_base.cc
[modify] https://crrev.com/fefaf5b1c75275985d1c94aa9c2de30710eaf0c5/net/tools/quic/quic_spdy_client_base.h
[modify] https://crrev.com/fefaf5b1c75275985d1c94aa9c2de30710eaf0c5/net/tools/quic/quic_

Comment 9 by danzh@chromium.org, Dec 11 2017

Status: Fixed (was: Assigned)

Above import from internal code fixes this issue:

Limit quic stream length to be 2^62. Protected by FLAGS_quic_reloadable_flag_quic_stream_too_long.

Close connection with error when:
1. The stream length reaches max limit during sending.
2. An endpoint receives stream frame and RST frame with offset larger than the limit.
Limit quic stream length to be 2^62. Protected by FLAGS_quic_reloadable_flag_quic_stream_too_long.

Close connection with error when:
1. The stream length reaches max limit during sending.
2. An endpoint receives stream frame and RST frame with offset larger than the limit.

►

Issue 696887 link

Issue metadata

QUIC accepts STREAM frames with data overflowing the maximum offset

Issue description

Comment 1 by nyerramilli@chromium.org, Feb 28 2017

Comment 1 Deleted

Comment 2 by xunji...@chromium.org, Feb 28 2017

Comment 2 Deleted

Comment 3 by rch@chromium.org, Feb 28 2017

Comment 3 Deleted

Comment 4 by danzh@chromium.org, Feb 28 2017

Comment 4 Deleted

Comment 5 by jri@chromium.org, Feb 28 2017

Comment 5 Deleted

Comment 6 by jri@chromium.org, Feb 28 2017

Comment 6 Deleted

Comment 7 by rch@chromium.org, Nov 10 2017

Comment 7 Deleted

Comment 8 by bugdroid1@chromium.org, Dec 11 2017

Comment 8 Deleted

Comment 9 by danzh@chromium.org, Dec 11 2017

Comment 9 Deleted

Sign in to add a comment