Rebase onto quinn-proto 0.11.14 (SPO-428 / GHSA-6xvm-j4wr-6v98)#4
Merged
Kristopher Johnson (kristopherjohnson) merged 44 commits intomainfrom Apr 23, 2026
Merged
Conversation
Aligns with 100 columns, attempts to improve clarity, takes inspiration from tokio::io::AsyncWriteExt docs.
Co-authored-by: Benjamin Saunders <ben.e.saunders@gmail.com>
Bumps [url](https://github.com/servo/rust-url) from 2.5.4 to 2.5.7. - [Release notes](https://github.com/servo/rust-url/releases) - [Commits](https://github.com/servo/rust-url/commits) --- updated-dependencies: - dependency-name: url dependency-version: 2.5.7 dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] <support@github.com>
Bumps [actions/setup-java](https://github.com/actions/setup-java) from 4 to 5. - [Release notes](https://github.com/actions/setup-java/releases) - [Commits](actions/setup-java@v4...v5) --- updated-dependencies: - dependency-name: actions/setup-java dependency-version: '5' dependency-type: direct:production update-type: version-update:semver-major ... Signed-off-by: dependabot[bot] <support@github.com>
Bumps [serde_json](https://github.com/serde-rs/json) from 1.0.142 to 1.0.143. - [Release notes](https://github.com/serde-rs/json/releases) - [Commits](serde-rs/json@v1.0.142...v1.0.143) --- updated-dependencies: - dependency-name: serde_json dependency-version: 1.0.143 dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] <support@github.com>
```
warning: called `unwrap` on `self.exit_probe_rtt_at` after checking its variant with `is_none`
--> quinn-proto/src/congestion/bbr/mod.rs:247:48
|
238 | if self.exit_probe_rtt_at.is_none() {
| ----------------------------------- help: try: `if let Some(<item>) = self.exit_probe_rtt_at`
...
247 | } else if is_round_start && now >= self.exit_probe_rtt_at.unwrap() {
| ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
|
= help: for further information visit https://rust-lang.github.io/rust-clippy/master/index.html#unnecessary_unwrap
= note: `#[warn(clippy::unnecessary_unwrap)]` on by default
```
aws-lc-rs from 1.9 to 1.16.2 Fixes security vulnerabilities in aws-lc dependencies: - aws-lc-sys updated to 0.39.1 (fixes GHSA-9f94-5g5w-gf6r, GHSA-hfpc-8r3f-gw53) - aws-lc-fips-sys updated to 0.13.14 (fixes GHSA-65p9-r9h6-22vj)
# How to handle this commit? - This commit is intended to be used by Ditto as its `quinn-proto` vendored dependency. - This commit SHOULD NOT be merged in `main`, but stay in a separate branch, which should be rebased on `main@upstream` regularly. # Why does this commit exist? The QUIC standard imposes that packets originating from an unvalidated path be discarded (unless they are specifically probing packets in response to a `PATH_CHALLENGE`, which can only be started once the handshake is completed). This conflicts heavily with our usage in Ditto, where we perform "implicit server address migration" as a way for peers to discover each other's link-local address for unicast links. This implicit migration is performed by allowing the client to address the server through an arbitrary "jumpstart" address; the server then responds, continuing the handshake, using its actual link-local IPv6 as the `src_ip` for its datagrams. From that point onwards, packets from the client will target this newly learnt IP. This is no less secure than discarding packets based on source IP, as spoofing that IP is trivial; the security being instead provided by cryptography that doesn't take IP headers into account. Note that this implicit migration is not implemented here, but is _enabled_ by this commit. The implicit migration is performed by keeping track of a packet's source IP, and setting it as the peer's new IP from the moment the packet has been validated cryptographically; typically by observing that `quinn-proto` raised an event pertaining to it.
GeorgeAtDTO
approved these changes
Apr 22, 2026
Member
|
Kristopher Johnson (@kristopherjohnson) good to merge this? |
Kristopher Johnson (kristopherjohnson)
deleted the
kj/spo-428/rebase-quinn-proto-0.11.14
branch
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
15 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
Rebases Ditto's
quinnfork onto the upstreamquinn-proto-0.11.14tag, which contains the fix for GHSA-6xvm-j4wr-6v98 — an unauthenticated remote DoS via panic during QUIC transport-parameter parsing.Linear: SPO-428
Commits on top of
quinn-proto-0.11.14build(deps): bump aws-lc-rs from 1.9 to 1.16.2— Ditto security bump (wasb7999e7bonsp/if_index). Picks upaws-lc-sys0.39.1 /aws-lc-fips-sys0.13.14 which address GHSA-9f94-5g5w-gf6r, GHSA-hfpc-8r3f-gw53, GHSA-65p9-r9h6-22vj.Add interface_index to RecvMeta— Ditto feature used by L2DS (was8b91782aonsp/if_index).DO NOT MERGE! DIVERGENCE FROM STANDARD FOR DITTO USAGE ONLY— Ditto source-IP-check bypass required for L2DS implicit migration (was20c9db08onpa/non-standard/disable-ip-src-checks). See #1 for rationale.The source-IP-check patch commit carries a one-line
#[allow(clippy::collapsible_if)]added during this rebase because upstream's clippy lints now flag the intentionally nestedifused to keep the patch easily revertible.Verification
Ran on macOS (aarch64-apple-darwin) in this worktree:
cargo check --all-targets→ cleancargo test --all-targets→ all default-member tests pass (263 in quinn-proto, 17 in quinn, 7 in quinn-udp)cargo fmt --check→ cleancargo clippy --locked --all-targets -- -D warnings→ cleancargo check --locked --manifest-path quinn/Cargo.toml --all-targets --no-default-features→ cleanThe
fuzz/member fails to build on upstreamquinn-proto-0.11.14itself (API drift onStreams::new/SendStream::new); this is a pre-existing issue in the upstream release branch and not caused by this PR. It is not indefault-members.Notes for reviewers
quinn-protoversions stay mechanical.getditto/ditto) currently referencesbranch = "sp/if_index"forquinn,quinn-udp, andquinn-proto. Updating that reference to consume this branch (or a specific rev from it) is out of scope for this PR and will be handled separately ingetditto/ditto.