[SECURITY] aioquic may store an unlimited number of remote path challenges

[AsakuraMizu]

Summary

aioquic may infinitely receive PATH_CHALLENGE frames and store challenge data in remote_challenges, resulting in unbounded memory usage. It may lead to a denial-of-service attack.

Tested Version

Latest git commit (9bc1e43)

Details

#483 appears to be the cause of this vulnerability. Although MAX_REMOTE_CHALLENGES is defined, the constant is not used. As a result, the remote_challenges queue can grow infinitely.

Suggestion

aioquic/src/aioquic/quic/connection.py

Line 2045 in 9bc1e43

context.network_path.remote_challenges.append(data)

Check the length of remote_challenges before appending challenge data.

[k4ra5u]

This issue is verified to be reproducible, by constantly writing path challenge frames, aioquic has consumed almost 10GB of memory and will eventually be killed by the OS.

aioquic/src/aioquic/quic/connection.py

Lines 3040 to 3041 in 9bc1e43

	while len(network_path.remote_challenges) > 0:
	challenge = network_path.remote_challenges.popleft()

Although connection.py's line 3041 empties network_path.remote_challenges, however, if the client chooses not to send an ACK message in response to the path response, aioquic does not go as far as this statement, causing the network_path.remote_challengesqueue to continue to accumulate.