---
The ngtcp2 project (GitHub link: https://github.com/ngtcp2/ngtcp2) is an ongoing initiative aimed at implementing the IETF QUIC protocol using the C programming language. However, in affected versions of the project, ACKs (acknowledgements) are not properly validated before being written into the qlog, consequently resulting in a buffer overflow vulnerability. This article delves into the details of the issue (CVE-2024-52811), its potential impact, the original references, as well as the available patch.
The vulnerability arises from a lapse in the ngtcp2_conn::conn_recv_pkt function concerning the processing of an ACK. Specifically, new logic was introduced to bypass the conn_recv_ack function if an ACK has already been processed within the payload. This consequently causes the ngtcp2_pkt_validate_ack function to be skipped as well. As a result, the skipped ACK is still written into the qlog, causing the problem to manifest.
At the ngtcp2_qlog::write_ack_frame, an invalid ACK, such as one with largest_ack= and first_ack_range=15, may be encountered due to the previous shortfall. When the expression largest_ack - first_ack_range is computed, it leads to an integer underflow totaling 20 characters in length. The qlog code in ngtcp2 project, unfortunately, assumes that the resultant quantity is a signed integer with a maximum length of 19 characters, including the NGTCP2_QLOG_ACK_FRAME_RANGE_OVERHEAD. Consequently, the buffer falls susceptible to an overflow.
The severity of this vulnerability cannot be understated, as it has a high priority and has the potential to impact a large number of users if they enable the qlog. Thankfully, qlog is disabled by default and, due to its overhead, it is primarily used for debugging purposes – although its actual extent of use remains uncertain.
To mitigate this issue, the developers have released a fixed version of the ngtcp2 software (v1.9.1), which users are urged to upgrade to (link: https://github.com/ngtcp2/ngtcp2/releases/tag/v1.9.1). For users who cannot upgrade at the moment, the recommended action is to disable qlog until the updated version can be installed.
In conclusion, the CVE-2024-52811 vulnerability in the ngtcp2 project exposes users to the risk of a buffer overflow due to unvalidated ACKs being written to the qlog. The most viable solution is to upgrade to the patched version of the software (ngtcp2 v1.9.1), while those who cannot update should avoid enabling qlog to mitigate the risk.
Timeline
Published on: 11/25/2024 19:15:11 UTC