QUIC: Retry Source CID May Match Client DCID

[t-minzheng]

Description

According to RFC 9000 17.2.5.1. Sending a Retry Packet

The server includes a connection ID of its choice in the Source Connection ID field. This value MUST NOT be equal to the Destination Connection ID field of the packet sent by the client. A client MUST discard a Retry packet that contains a Source Connection ID field that is identical to the Destination Connection ID field of its Initial packet.

In the QUIC_OPER_TYPE_RETRY code path, the implementation generates a new Source Connection ID (CID) using random bytes. However, it does not explicitly check that the generated Source CID differs from the client’s Destination CID, as required by the RFC above.

msquic/src/core/binding.c

Lines 976 to 978 in 2623c07

	uint8_t NewDestCid[QUIC_CID_MAX_LENGTH];
	CXPLAT_DBG_ASSERT(sizeof(NewDestCid) >= MsQuicLib.CidTotalLength);
	CxPlatRandom(sizeof(NewDestCid), NewDestCid);

This correctly generates a random Source CID for the Retry packet. However, there is no check to ensure it does not accidentally match the client’s DCID. This check is missing, and while collisions are rare, they are possible — leading to non-compliant Retry packets:
if (memcmp(NewDestCid, RecvPacket->DestCid, RecvPacket->DestCidLen) == 0)