validQUICMsg validates the incoming DNS message and returns false if something is wrong with the message.
(req *dns.Msg, l *slog.Logger)
| 427 | // validQUICMsg validates the incoming DNS message and returns false if |
| 428 | // something is wrong with the message. |
| 429 | func validQUICMsg(req *dns.Msg, l *slog.Logger) (ok bool) { |
| 430 | // See https://www.rfc-editor.org/rfc/rfc9250.html#name-protocol-errors |
| 431 | |
| 432 | // 1. a client or server receives a message with a non-zero Message ID. |
| 433 | // |
| 434 | // We do consciously not validate this case since there are stub proxies |
| 435 | // that are sending a non-zero Message IDs. |
| 436 | |
| 437 | // 2. a client or server receives a STREAM FIN before receiving all the |
| 438 | // bytes for a message indicated in the 2-octet length field. |
| 439 | // 3. a server receives more than one query on a stream |
| 440 | // |
| 441 | // These cases are covered earlier when unpacking the DNS message. |
| 442 | |
| 443 | // 4. the client or server does not indicate the expected STREAM FIN after |
| 444 | // sending requests or responses (see Section 4.2). |
| 445 | // |
| 446 | // This is quite problematic to validate this case since this would imply |
| 447 | // we have to wait until STREAM FIN is arrived before we start processing |
| 448 | // the message. So we're consciously ignoring this case in this |
| 449 | // implementation. |
| 450 | |
| 451 | // 5. an implementation receives a message containing the edns-tcp-keepalive |
| 452 | // EDNS(0) Option [RFC7828] (see Section 5.5.2). |
| 453 | if opt := req.IsEdns0(); opt != nil { |
| 454 | for _, option := range opt.Option { |
| 455 | // Check for EDNS TCP keepalive option |
| 456 | if option.Option() == dns.EDNS0TCPKEEPALIVE { |
| 457 | l.Debug("client sent edns0 tcp keepalive option") |
| 458 | |
| 459 | return false |
| 460 | } |
| 461 | } |
| 462 | } |
| 463 | |
| 464 | // 6. a client or a server attempts to open a unidirectional QUIC stream. |
| 465 | // |
| 466 | // This case can only be handled when writing a response. |
| 467 | |
| 468 | // 7. a server receives a "replayable" transaction in 0-RTT data |
| 469 | // |
| 470 | // The information necessary to validate this is not exposed by quic-go. |
| 471 | |
| 472 | return true |
| 473 | } |
| 474 | |
| 475 | // logShortQUICRead is a logging helper for short reads from a QUIC stream. |
| 476 | func logShortQUICRead(ctx context.Context, err error, l *slog.Logger) { |
no outgoing calls
no test coverage detected
searching dependent graphs…