quic-go Path Probe Packet Handling Vulnerability Leading to Nil-Pointer Dereference

A nil-pointer dereference vulnerability has been identified in quic-go, a QUIC protocol implementation in Go. This issue arises in version 0.50.0, where the loss recovery logic for path probe packets can be exploited by a malicious QUIC client. The attacker first sends valid QUIC packets from different remote addresses, triggering the server to send path probe packets. The attacker then sends ACKs for these packets, crafted to exploit the nil-pointer dereference vulnerability.

Impact

Exploitation of this vulnerability causes a segmentation violation due to a nil-pointer dereference, leading to a crash of the application.

Reproduction

The vulnerability can be reproduced by sending valid QUIC packets from multiple remote addresses to a server running quic-go version 0.50.0. This will trigger the server's path validation logic, causing it to send path probe packets. Afterward, ACKs can be sent for the received path probe packets, specifically crafted to trigger the nil-pointer dereference in the server's loss recovery handling for path probe packets.

Remediation

Users can upgrade to quic-go version 0.50.1, which includes a patch for this vulnerability. This version also contains a test to ensure the patch covers all potential edge cases.