漏洞信息
尽管我们使用了先进的大模型技术,但其输出仍可能包含不准确或过时的信息。神龙努力确保数据的准确性,但请您根据实际情况进行核实和判断。
Vulnerability Title
ngtcp2 has a qlog transport parameter serialization stack buffer overflow
Vulnerability Description
ngtcp2 is a C implementation of the IETF QUIC protocol. In versions prior to 1.22.1, ngtcp2_qlog_parameters_set_transport_params() serializes peer transport parameters into a fixed 1024-byte stack buffer without bounds checking. When qlog is enabled, a remote peer can send sufficiently large transport parameters during the QUIC handshake to cause writes beyond the buffer boundary, resulting in a stack buffer overflow. This affects deployments that enable the qlog callback and process untrusted peer transport parameters. This issue has been fixed in version 1.22.1. If developers are unable to immediately upgrade, they can disable the qlog on client.
CVSS Information
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
Vulnerability Type
栈缓冲区溢出
Vulnerability Title
ngtcp2 安全漏洞
Vulnerability Description
ngtcp2是ngtcp2开源的一个库。 ngtcp2 1.22.1之前版本存在安全漏洞,该漏洞源于启用qlog时,ngtcp2_qlog_parameters_set_transport_params函数将传输参数序列化到固定大小的栈缓冲区时未进行边界检查,可能导致栈缓冲区溢出。
CVSS Information
N/A
Vulnerability Type
N/A