CVE-2024-52811 – Acks not validated before logged to qlog leads to buffer overflow in ngtcp2

https://notcve.org/view.php?id=CVE-2024-52811

25 Nov 2024 — The ngtcp2 project is an effort to implement IETF QUIC protocol in C. In affected versions acks are not validated before being written to the qlog leading to a buffer overflow. In `ngtcp2_conn::conn_recv_pkt` for an ACK, there was new logic that got added to skip `conn_recv_ack` if an ack has already been processed in the payload. However, this causes us to also skip `ngtcp2_pkt_validate_ack`. The ack which was skipped still got written to qlog. • https://github.com/ngtcp2/ngtcp2/commit/44b662bd139c23fee1703bf256c13349e2e624a1 • CWE-670: Always-Incorrect Control Flow Implementation •