In 2023, a significant vulnerability (CVE-2023-39322) was found in how QUIC connections handle incoming post-handshake messages. The bug allows a malicious client or server to send endlessly large packets, causing the recipient's memory usage to grow without any bounds. Left unchecked, this can crash services, take down machines, or enable denial of service attacks.
This post covers what went wrong, how it can be abused, the technical details, a code illustration, and how maintainers locked things down in the fix.
2. Vulnerability Details
QUIC is a modern transport protocol popular for powering secure connections on the web. During communication, after the main handshake, further messages can be exchanged—these are called 'post-handshake messages.'
The Problem:
The original QUIC handling code did not set a maximum limit on the size of these post-handshake messages. That means an attacker can send a massive (or unending) stream of data. Since the code would buffer all this data, it eats up RAM. Enough of this, and the whole system can run out of memory and crash.
> Summary: No upper size limit meant an attacker could cause *unbounded* memory growth simply by sending a huge or infinite message.
> Impact: Attacker can crash servers or clients (denial of service), potentially disrupt networks, or worse.
Let’s step through a basic attack using this flaw
. Victim runs a QUIC server, waiting for connections.
1. Attacker connects and successfully completes the handshake.
2. Attacker sends a *very* large post-handshake message (could be gigabytes), or keeps sending data without ending.
3. The victim’s server code receives data, keeps buffering each incoming byte, and doesn’t check or limit the buffer size.
4. Memory usage rises, quickly overwhelming the victim’s available RAM.
5. The server crashes or becomes unresponsive.
That's it—no fancy hacking, just brute force. The code was never taught to say “stop, that’s too big.”
4. Code Snippet Illustrating the Issue
Let’s look at a simplified, illustrative pseudocode snippet of what went wrong, and how the fix works.
Before the Fix (Vulnerable)
def handle_post_handshake_message(connection):
# reads data until end of stream (no length check!)
data = b""
while not end_of_message:
chunk = connection.read()
if not chunk:
break
data += chunk # This keeps growing...
process_message(data)
In this code, data can become *as large as the attacker wants*—there is no limit!
After the Fix
MAX_MESSAGE_SIZE = 65536 # 65KiB
def handle_post_handshake_message(connection):
data = b""
while not end_of_message:
chunk = connection.read()
if not chunk:
break
if len(data) + len(chunk) > MAX_MESSAGE_SIZE:
raise ValueError("QUIC message too big")
data += chunk
process_message(data)
Now, any message over 65KiB gets rejected—no more runaway memory growth.
5. The Patch: How it Got Fixed
With the fix, all implementations of the protocol were updated to *immediately reject* post-handshake messages that are larger than 65 KiB (kilobytes, or 65536 bytes).
The check is consistent: if a message is too big, the connection gets an error or is dropped.
Primary Sources
- CVE-2023-39322 (MITRE)
- Go Issue Tracker: x/net/http3: unbounded memory usage
- QUIC Protocol (IETF)
- OpenSSL Release Notes
Security Advisories:
- Go Team Security Release Note
- Google Security Blog covering QUIC vulnerabilities
7. Conclusion
CVE-2023-39322 is a classic example of how a missing sanity check can escalate into a full-blown memory exhaustion attack. If you run or maintain servers using QUIC (especially in the Go ecosystem), update immediately to the latest version and verify that a size cap is in place for incoming messages.
Key Takeaway:
Always limit the size of anything you buffer from the network—attackers are just waiting for you to forget!
If you want to read more, check out the Go Security Reports or the QUIC RFC 900.
*Have questions or want to see a deeper code dive? Drop a comment below!*
Timeline
Published on: 09/08/2023 17:15:28 UTC
Last modified on: 11/25/2023 11:15:17 UTC