ngtcp2 Stack-Based Buffer Overflow Vulnerability in qlog Transport Parameter Serialization

A stack-based buffer overflow vulnerability has been identified in ngtcp2, a C implementation of the IETF QUIC protocol, in versions prior to 1.22.1. The issue arises in the function ngtcp2_qlog_parameters_set_transport_params(), which serializes peer transport parameters into a fixed 1024-byte stack buffer without proper bounds checking. When qlog is enabled, a remote peer can send oversized transport parameters during the QUIC handshake, leading to out-of-bounds writes and a stack buffer overflow. This vulnerability affects deployments that process untrusted peer transport parameters with qlog enabled.

Impact

Exploitation of this vulnerability causes a stack-based buffer overflow, where data is written beyond the boundaries of the allocated stack buffer. This type of overflow can lead to arbitrary code execution or other severe consequences, such as overwriting function return addresses or causing a program crash. In this case, the buffer overflow was confirmed using AddressSanitizer, a tool that detects memory corruption errors.

Reproduction

The vulnerability can be reproduced by enabling qlog in an ngtcp2 application and allowing it to process untrusted peer transport parameters. The out-of-bounds write can be triggered by sending sufficiently large transport parameters during the QUIC handshake, which will cause the qlog serialization function to write beyond the allocated buffer size. This can be automated with a proof-of-concept that is available as an attachment in the advisory.

Remediation

Users can upgrade to ngtcp2 version 1.22.1, which addresses the vulnerability by increasing the buffer size to 2048 bytes and implementing proper bounds checks. If an immediate upgrade is not possible, qlog can be disabled on the client.