User Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/135.0.0.0 Safari/537.36 Steps to reproduce: neqo(https://github.com/mozilla/neqo) is a component used by Mozilla to implement the QUIC protocol interaction, we tested it using the main branch, when using neqo as a server to provide the QUIC service, we send a DATA_BLOCKED frame after the 1-RTT handshake has been established, and the server processes the frame and declares a new DATA expected maximum value which is more than the maximum value that can be received by varint in the QUIC protocol, thus causing a crash. The attacker only needs to establish a connection and send a DATA_BLOCKED frame to perform a DOS attack on a QUIC service built with neqo. The exact cause is as follows: - When DATA_BLOCKED is received, neqo chooses to send a MAX_DATA frame to update it, the implementation of which is located in line 229 of neqo-transport/src/streams.rs - This is followed by a call to ReceiverFlowControl::write_frames, located at line 321 of neqo-transport/src/streams.rs, and a call to self.next_limit() at line 330 to update the maximum number of acceptable DATA. - The next_limit function is calculated as self.retired(the amount of data already received) + self.max_active(the current maximum acceptable value). - However, in ReceiverFlowControl::new(), located in neqo-transport/src/fc.rs on line 244, max_active is set to max, which is 2^62-1 in the default setting, which is in line 108 of neqo-transport/src/connection/params.rs, which is the maximum value that varint can receive, so once self.retired is not 0, i.e. several bytes have already been received, the new max_allowed exceeds 2^62 and ends up at line 210 of neqo-common/src/codec.rs varint_len function triggers a crash. Actual results: As shown in the attachment, neqo service is running on port 32440, we sent 2 DATA_BLOCKED frames, neqo correctly processed the first one, this is because at this time self.retired==0 , when processing the second one, self.retired increased to 3, at this time, the neqo server will report an error and exit the programme. The error message is as follows: thread 'main' panicked at neqo-common/src/codec.rs:216:19: Varint value too large stack backtrace: 0: 0x5a256162707d - std::backtrace_rs::backtrace::libunwind::trace::h302945139c18af97 at /rustc/515395af0efdbdd657ff08a1f6d28e553856654f/library/std/src/../../backtrace/src/backtrace/libunwind.rs:116:5 1: 0x5a256162707d - std::backtrace_rs::backtrace::trace_unsynchronized::h840548b20704de9e at /rustc/515395af0efdbdd657ff08a1f6d28e553856654f/library/std/src/../../backtrace/src/backtrace/mod.rs:66:5 2: 0x5a256162707d - std::sys::backtrace::_print_fmt::h2ac22f81c7dcdaef at /rustc/515395af0efdbdd657ff08a1f6d28e553856654f/library/std/src/sys/backtrace.rs:66:9 3: 0x5a256162707d - <std::sys::backtrace::BacktraceLock::print::DisplayBacktrace as core::fmt::Display>::fmt::h2d25858e63254058 at /rustc/515395af0efdbdd657ff08a1f6d28e553856654f/library/std/src/sys/backtrace.rs:39:26 4: 0x5a256164ce0b - core::fmt::rt::Argument::fmt::h66cd8d9ce11d21a1 at /rustc/515395af0efdbdd657ff08a1f6d28e553856654f/library/core/src/fmt/rt.rs:173:76 5: 0x5a256164ce0b - core::fmt::write::hd0a778a03aa43ec1 at /rustc/515395af0efdbdd657ff08a1f6d28e553856654f/library/core/src/fmt/mod.rs:1178:21 6: 0x5a2561623cf3 - std::io::Write::write_fmt::hd97beb4bdd22d4f5 at /rustc/515395af0efdbdd657ff08a1f6d28e553856654f/library/std/src/io/mod.rs:1823:15 7: 0x5a2561628232 - std::sys::backtrace::BacktraceLock::print::hce055f7dccf3e70f at /rustc/515395af0efdbdd657ff08a1f6d28e553856654f/library/std/src/sys/backtrace.rs:42:9 8: 0x5a2561628232 - std::panicking::default_hook::{{closure}}::hc67d88b4b3625d0a at /rustc/515395af0efdbdd657ff08a1f6d28e553856654f/library/std/src/panicking.rs:266:22 9: 0x5a2561627e9e - std::panicking::default_hook::hf7bb98a0440f301f at /rustc/515395af0efdbdd657ff08a1f6d28e553856654f/library/std/src/panicking.rs:293:9 10: 0x5a2561628b2f - std::panicking::rust_panic_with_hook::h1d911cf10ecc7e43 at /rustc/515395af0efdbdd657ff08a1f6d28e553856654f/library/std/src/panicking.rs:797:13 11: 0x5a25616287e3 - std::panicking::begin_panic_handler::{{closure}}::h5f828f72649fb5d3 at /rustc/515395af0efdbdd657ff08a1f6d28e553856654f/library/std/src/panicking.rs:664:13 12: 0x5a2561627569 - std::sys::backtrace::__rust_end_short_backtrace::ha0666bd495c11bc8 at /rustc/515395af0efdbdd657ff08a1f6d28e553856654f/library/std/src/sys/backtrace.rs:170:18 13: 0x5a25616284a4 - rust_begin_unwind at /rustc/515395af0efdbdd657ff08a1f6d28e553856654f/library/std/src/panicking.rs:662:5 14: 0x5a256164a713 - core::panicking::panic_fmt::h393e3dd80dd6b20b at /rustc/515395af0efdbdd657ff08a1f6d28e553856654f/library/core/src/panicking.rs:74:14 15: 0x5a25613ba3b8 - neqo_common::codec::Encoder::varint_len::he69e87fe03fef4d4 at /path/to/neqo/neqo-common/src/codec.rs:216:19 16: 0x5a2560fe742b - neqo_transport::packet::PacketBuilder::write_varint_frame::{{closure}}::hfe8060a639a615d8 at /path/to/neqo/neqo-transport/src/packet/mod.rs:400:27 17: 0x5a2560f63064 - core::iter::adapters::map::map_fold::{{closure}}::hb5bcf8b59dba6679 at /rustc/515395af0efdbdd657ff08a1f6d28e553856654f/library/core/src/iter/adapters/map.rs:88:28 18: 0x5a2560ee9a61 - <core::slice::iter::Iter<T> as core::iter::traits::iterator::Iterator>::fold::h23359fb99f72c267 at /rustc/515395af0efdbdd657ff08a1f6d28e553856654f/library/core/src/slice/iter/macros.rs:232:27 19: 0x5a2560f61ce9 - <core::iter::adapters::map::Map<I,F> as core::iter::traits::iterator::Iterator>::fold::hb2aeeac1cd10f2e6 at /rustc/515395af0efdbdd657ff08a1f6d28e553856654f/library/core/src/iter/adapters/map.rs:128:9 20: 0x5a2560f63678 - <usize as core::iter::traits::accum::Sum>::sum::h504084182f5db453 at /rustc/515395af0efdbdd657ff08a1f6d28e553856654f/library/core/src/iter/traits/accum.rs:50:17 21: 0x5a2560f62404 - core::iter::traits::iterator::Iterator::sum::h51da320164083910 at /rustc/515395af0efdbdd657ff08a1f6d28e553856654f/library/core/src/iter/traits/iterator.rs:3577:9 22: 0x5a2560f19fe5 - neqo_transport::packet::PacketBuilder::write_varint_frame::had81f5e136c86f0c at /path/to/neqo/neqo-transport/src/packet/mod.rs:398:16 23: 0x5a25610202a7 - neqo_transport::fc::ReceiverFlowControl<()>::write_frames::h61266ba7d1ddbb2b at /path/to/neqo/neqo-transport/src/fc.rs:331:12 24: 0x5a2560f452e8 - neqo_transport::streams::Streams::write_maintenance_frames::hd9dadc70f995189d at /path/to/neqo/neqo-transport/src/streams.rs:229:9 25: 0x5a256100ef6f - neqo_transport::connection::Connection::write_appdata_frames::hff8a641276e82743 at /path/to/neqo/neqo-transport/src/connection/mod.rs:2181:9 26: 0x5a2561010458 - neqo_transport::connection::Connection::write_frames::h172e50d73eec28dd at /path/to/neqo/neqo-transport/src/connection/mod.rs:2361:17 27: 0x5a2561011eb1 - neqo_transport::connection::Connection::output_path::h235e5dada61fd6aa at /path/to/neqo/neqo-transport/src/connection/mod.rs:2502:21 28: 0x5a2560fa2ed4 - neqo_transport::connection::Connection::output::{{closure}}::h2a57400a8b08133f at /path/to/neqo/neqo-transport/src/connection/mod.rs:2063:31 29: 0x5a2560ff4b5d - core::option::Option<T>::map_or_else::hefa996f437415c68 at /rustc/515395af0efdbdd657ff08a1f6d28e553856654f/library/core/src/option.rs:1210:24 30: 0x5a256100df08 - neqo_transport::connection::Connection::output::hded2c10498f6749b at /path/to/neqo/neqo-transport/src/connection/mod.rs:2060:35 31: 0x5a2561003748 - neqo_transport::connection::Connection::process_output::h3c83b7b42e4cb1ad at /path/to/neqo/neqo-transport/src/connection/mod.rs:1156:15 32: 0x5a2560c11f98 - neqo_transport::connection::Connection::process::h698d4780ae89eea0 at /path/to/neqo/neqo-transport/src/connection/mod.rs:1192:22 33: 0x5a2560c09ea7 - neqo_transport::server::Server::process_input::h35acf5806a30de9d at /path/to/neqo/neqo-transport/src/server.rs:376:20 34: 0x5a2560c0f05a - neqo_transport::server::Server::process::{{closure}}::h4270d692a3a278db at /path/to/neqo/neqo-transport/src/server.rs:486:39 35: 0x5a2560c44e3f - core::option::Option<T>::map_or::h12069e4bf0d76966 at /rustc/515395af0efdbdd657ff08a1f6d28e553856654f/library/core/src/option.rs:1164:24 36: 0x5a2560c0ef40 - neqo_transport::server::Server::process::he35d1041262904fa at /path/to/neqo/neqo-transport/src/server.rs:485:19 37: 0x5a2560c41ea4 - neqo_http3::server::Http3Server::process::hf5e3a85329ad8655 at /path/to/neqo/neqo-http3/src/server.rs:125:19 38: 0x5a2560c3f5b1 - <neqo_bin::server::http3::HttpServer as neqo_bin::server::HttpServer>::process::he71da29ead6ad071 at /path/to/neqo/neqo-bin/src/server/http3.rs:86:9 39: 0x5a2560bfd513 - neqo_bin::server::ServerRunner::process_inner::{{closure}}::hcf696368084b3fa9 at /path/to/neqo/neqo-bin/src/server/mod.rs:256:19 40: 0x5a2560bfdcb2 - neqo_bin::server::ServerRunner::read_and_process::{{closure}}::h1bf1fc5ddd60e7cf at /path/to/neqo/neqo-bin/src/server/mod.rs:299:18 41: 0x5a2560bfeaa9 - neqo_bin::server::ServerRunner::run::{{closure}}::h44f4447c86082662 at /path/to/neqo/neqo-bin/src/server/mod.rs:347:58 42: 0x5a2560c00daf - neqo_bin::server::server::{{closure}}::he36cc7418e2dd45a at /path/to/neqo/neqo-bin/src/server/mod.rs:443:10 43: 0x5a2560bf10eb - neqo_server::main::{{closure}}::h1eed091db164f826 at /path/to/neqo/neqo-bin/src/bin/server.rs:13:36 44: 0x5a2560bf157b - <core::pin::Pin<P> as core::future::future::Future>::poll::h3d0c3bcdaaabab4b at /rustc/515395af0efdbdd657ff08a1f6d28e553856654f/library/core/src/future/future.rs:123:9 45: 0x5a2560bf8a1e - tokio::runtime::scheduler::current_thread::CoreGuard::block_on::{{closure}}::{{closure}}::{{closure}}::hf32e93c5793fdffa at /home/john/.cargo/registry/src/index.crates.io-6f17d22bba15001f/tokio-1.43.1/src/runtime/scheduler/current_thread/mod.rs:729:57 46: 0x5a2560bf88f5 - tokio::runtime::coop::with_budget::h65ec4be0a176a434 at /home/john/.cargo/registry/src/index.crates.io-6f17d22bba15001f/tokio-1.43.1/src/runtime/coop.rs:107:5 47: 0x5a2560bf88f5 - tokio::runtime::coop::budget::h4c9c616a68887f1e at /home/john/.cargo/registry/src/index.crates.io-6f17d22bba15001f/tokio-1.43.1/src/runtime/coop.rs:73:5 48: 0x5a2560bf88f5 - tokio::runtime::scheduler::current_thread::CoreGuard::block_on::{{closure}}::{{closure}}::ha875dc9f51f3c7ac at /home/john/.cargo/registry/src/index.crates.io-6f17d22bba15001f/tokio-1.43.1/src/runtime/scheduler/current_thread/mod.rs:729:25 49: 0x5a2560bf5c1d - tokio::runtime::scheduler::current_thread::Context::enter::h93bbf67f6b90c21e at /home/john/.cargo/registry/src/index.crates.io-6f17d22bba15001f/tokio-1.43.1/src/runtime/scheduler/current_thread/mod.rs:428:19 50: 0x5a2560bf75bb - tokio::runtime::scheduler::current_thread::CoreGuard::block_on::{{closure}}::h7b498e296785792f at /home/john/.cargo/registry/src/index.crates.io-6f17d22bba15001f/tokio-1.43.1/src/runtime/scheduler/current_thread/mod.rs:728:36 51: 0x5a2560bf722b - tokio::runtime::scheduler::current_thread::CoreGuard::enter::{{closure}}::h7ca26ec97a4ac210 at /home/john/.cargo/registry/src/index.crates.io-6f17d22bba15001f/tokio-1.43.1/src/runtime/scheduler/current_thread/mod.rs:807:68 52: 0x5a2560bf075a - tokio::runtime::context::scoped::Scoped<T>::set::h927d9bdb0adff02c at /home/john/.cargo/registry/src/index.crates.io-6f17d22bba15001f/tokio-1.43.1/src/runtime/context/scoped.rs:40:9 53: 0x5a2560bf306a - tokio::runtime::context::set_scheduler::{{closure}}::h1bc65cb6e3fff864 at /home/john/.cargo/registry/src/index.crates.io-6f17d22bba15001f/tokio-1.43.1/src/runtime/context.rs:180:26 54: 0x5a2560c035b4 - std::thread::local::LocalKey<T>::try_with::hfec3d3b0cd3d4491 at /rustc/515395af0efdbdd657ff08a1f6d28e553856654f/library/std/src/thread/local.rs:283:12 55: 0x5a2560c02a0d - std::thread::local::LocalKey<T>::with::hc7a7960b53e66eab at /rustc/515395af0efdbdd657ff08a1f6d28e553856654f/library/std/src/thread/local.rs:260:9 56: 0x5a2560bf2fc1 - tokio::runtime::context::set_scheduler::ha59225e764947f93 at /home/john/.cargo/registry/src/index.crates.io-6f17d22bba15001f/tokio-1.43.1/src/runtime/context.rs:180:9 57: 0x5a2560bf6afe - tokio::runtime::scheduler::current_thread::CoreGuard::enter::h0d3c0db26969d5dd at /home/john/.cargo/registry/src/index.crates.io-6f17d22bba15001f/tokio-1.43.1/src/runtime/scheduler/current_thread/mod.rs:807:27 58: 0x5a2560bf7298 - tokio::runtime::scheduler::current_thread::CoreGuard::block_on::h55662df0ea8f6596 at /home/john/.cargo/registry/src/index.crates.io-6f17d22bba15001f/tokio-1.43.1/src/runtime/scheduler/current_thread/mod.rs:716:19 59: 0x5a2560bf4cbf - tokio::runtime::scheduler::current_thread::CurrentThread::block_on::{{closure}}::ha5b1990dd0841d43 at /home/john/.cargo/registry/src/index.crates.io-6f17d22bba15001f/tokio-1.43.1/src/runtime/scheduler/current_thread/mod.rs:196:28 60: 0x5a2560bf24f8 - tokio::runtime::context::runtime::enter_runtime::h73cde13fba8978c3 at /home/john/.cargo/registry/src/index.crates.io-6f17d22bba15001f/tokio-1.43.1/src/runtime/context/runtime.rs:65:16 61: 0x5a2560bf4988 - tokio::runtime::scheduler::current_thread::CurrentThread::block_on::h22a1c5bda317b17b at /home/john/.cargo/registry/src/index.crates.io-6f17d22bba15001f/tokio-1.43.1/src/runtime/scheduler/current_thread/mod.rs:184:9 62: 0x5a2560bf08a9 - tokio::runtime::runtime::Runtime::block_on_inner::h9467077ff100c62c at /home/john/.cargo/registry/src/index.crates.io-6f17d22bba15001f/tokio-1.43.1/src/runtime/runtime.rs:368:47 63: 0x5a2560bf0bee - tokio::runtime::runtime::Runtime::block_on::hd88e9ed8f146f085 at /home/john/.cargo/registry/src/index.crates.io-6f17d22bba15001f/tokio-1.43.1/src/runtime/runtime.rs:342:13 64: 0x5a2560c01ab8 - neqo_server::main::he92a6fc4b1bfa69e at /path/to/neqo/neqo-bin/src/bin/server.rs:13:5 65: 0x5a2560bf8e72 - core::ops::function::FnOnce::call_once::hfea84c30e7c47159 at /rustc/515395af0efdbdd657ff08a1f6d28e553856654f/library/core/src/ops/function.rs:250:5 66: 0x5a2560c02445 - std::sys::backtrace::__rust_begin_short_backtrace::hd4ffae83c75e45dc at /rustc/515395af0efdbdd657ff08a1f6d28e553856654f/library/std/src/sys/backtrace.rs:154:18 67: 0x5a2560bfcc36 - std::rt::lang_start::{{closure}}::he1c87708e28d5326 at /rustc/515395af0efdbdd657ff08a1f6d28e553856654f/library/std/src/rt.rs:164:18 68: 0x5a256161edb0 - core::ops::function::impls::<impl core::ops::function::FnOnce<A> for &F>::call_once::h49cb17a227232e8a at /rustc/515395af0efdbdd657ff08a1f6d28e553856654f/library/core/src/ops/function.rs:284:13 69: 0x5a256161edb0 - std::panicking::try::do_call::h4ec17dd43a7f552a at /rustc/515395af0efdbdd657ff08a1f6d28e553856654f/library/std/src/panicking.rs:554:40 70: 0x5a256161edb0 - std::panicking::try::h5bb9e6fcb9bcedd4 at /rustc/515395af0efdbdd657ff08a1f6d28e553856654f/library/std/src/panicking.rs:518:19 71: 0x5a256161edb0 - std::panic::catch_unwind::h0351d54cce54b394 at /rustc/515395af0efdbdd657ff08a1f6d28e553856654f/library/std/src/panic.rs:345:14 72: 0x5a256161edb0 - std::rt::lang_start_internal::{{closure}}::hbedf4aa2a5b26eb2 at /rustc/515395af0efdbdd657ff08a1f6d28e553856654f/library/std/src/rt.rs:143:48 73: 0x5a256161edb0 - std::panicking::try::do_call::h9861ac54db992cff at /rustc/515395af0efdbdd657ff08a1f6d28e553856654f/library/std/src/panicking.rs:554:40 74: 0x5a256161edb0 - std::panicking::try::h20bb8ca1f70b8b85 at /rustc/515395af0efdbdd657ff08a1f6d28e553856654f/library/std/src/panicking.rs:518:19 75: 0x5a256161edb0 - std::panic::catch_unwind::h8478447418590db8 at /rustc/515395af0efdbdd657ff08a1f6d28e553856654f/library/std/src/panic.rs:345:14 76: 0x5a256161edb0 - std::rt::lang_start_internal::h046989e7acc7e62e at /rustc/515395af0efdbdd657ff08a1f6d28e553856654f/library/std/src/rt.rs:143:20 77: 0x5a2560bfcc0a - std::rt::lang_start::h27d2d3a23086a896 at /rustc/515395af0efdbdd657ff08a1f6d28e553856654f/library/std/src/rt.rs:163:17 78: 0x5a2560c01b5e - main 79: 0x70e13d22a1ca - __libc_start_call_main at ./csu/../sysdeps/nptl/libc_start_call_main.h:58:16 80: 0x70e13d22a28b - __libc_start_main_impl at ./csu/../csu/libc-start.c:360:3 81: 0x5a2560beb925 - _start 82: 0x0 - <unknown> Expected results: The expected result is normal processing of MAX_DATA data frames, so the max_active value in the initial state should be adjusted and set to a smaller value such as 0xffff
Bug 1965279 Comment 0 Edit History
Note: The actual edited comment in the bug view page will always show the original commenter’s name and original timestamp.
User Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/135.0.0.0 Safari/537.36 Steps to reproduce: neqo(https://github.com/mozilla/neqo) is a component used by Mozilla to implement the QUIC protocol interaction, we tested it using the main branch, when using neqo as a server to provide the QUIC service, we send a DATA_BLOCKED frame after the 1-RTT handshake has been established, and the server processes the frame and declares a new DATA expected maximum value which is more than the maximum value that can be received by varint in the QUIC protocol, thus causing a crash. The attacker only needs to establish a connection and send a DATA_BLOCKED frame to perform a DOS attack on a QUIC service built with neqo. The exact cause is as follows: - When DATA_BLOCKED is received, neqo chooses to send a MAX_DATA frame to update it, the implementation of which is located in line 229 of neqo-transport/src/streams.rs - This is followed by a call to ReceiverFlowControl::write_frames, located at line 321 of neqo-transport/src/streams.rs, and a call to self.next_limit() at line 330 to update the maximum number of acceptable DATA. - The next_limit function is calculated as self.retired(the amount of data already received) + self.max_active(the current maximum acceptable value). - However, in ReceiverFlowControl::new(), located in neqo-transport/src/fc.rs on line 244, max_active is set to max, which is 2^62-1 in the default setting, which is in line 108 of neqo-transport/src/connection/params.rs, which is the maximum value that varint can receive, so once self.retired is not 0, i.e. several bytes have already been received, the new max_allowed exceeds 2^62 and ends up at line 210 of neqo-common/src/codec.rs varint_len function triggers a crash. Actual results: As shown in the attachment, neqo service is running on port 32440, we sent 2 DATA_BLOCKED frames, neqo correctly processed the first one, this is because at this time self.retired==0 , when processing the second one, self.retired increased to 3, at this time, the neqo server will report an error and exit the programme. The error message is as follows: ``` thread 'main' panicked at neqo-common/src/codec.rs:216:19: Varint value too large stack backtrace: 0: 0x5a256162707d - std::backtrace_rs::backtrace::libunwind::trace::h302945139c18af97 at /rustc/515395af0efdbdd657ff08a1f6d28e553856654f/library/std/src/../../backtrace/src/backtrace/libunwind.rs:116:5 1: 0x5a256162707d - std::backtrace_rs::backtrace::trace_unsynchronized::h840548b20704de9e at /rustc/515395af0efdbdd657ff08a1f6d28e553856654f/library/std/src/../../backtrace/src/backtrace/mod.rs:66:5 2: 0x5a256162707d - std::sys::backtrace::_print_fmt::h2ac22f81c7dcdaef at /rustc/515395af0efdbdd657ff08a1f6d28e553856654f/library/std/src/sys/backtrace.rs:66:9 3: 0x5a256162707d - <std::sys::backtrace::BacktraceLock::print::DisplayBacktrace as core::fmt::Display>::fmt::h2d25858e63254058 at /rustc/515395af0efdbdd657ff08a1f6d28e553856654f/library/std/src/sys/backtrace.rs:39:26 4: 0x5a256164ce0b - core::fmt::rt::Argument::fmt::h66cd8d9ce11d21a1 at /rustc/515395af0efdbdd657ff08a1f6d28e553856654f/library/core/src/fmt/rt.rs:173:76 5: 0x5a256164ce0b - core::fmt::write::hd0a778a03aa43ec1 at /rustc/515395af0efdbdd657ff08a1f6d28e553856654f/library/core/src/fmt/mod.rs:1178:21 6: 0x5a2561623cf3 - std::io::Write::write_fmt::hd97beb4bdd22d4f5 at /rustc/515395af0efdbdd657ff08a1f6d28e553856654f/library/std/src/io/mod.rs:1823:15 7: 0x5a2561628232 - std::sys::backtrace::BacktraceLock::print::hce055f7dccf3e70f at /rustc/515395af0efdbdd657ff08a1f6d28e553856654f/library/std/src/sys/backtrace.rs:42:9 8: 0x5a2561628232 - std::panicking::default_hook::{{closure}}::hc67d88b4b3625d0a at /rustc/515395af0efdbdd657ff08a1f6d28e553856654f/library/std/src/panicking.rs:266:22 9: 0x5a2561627e9e - std::panicking::default_hook::hf7bb98a0440f301f at /rustc/515395af0efdbdd657ff08a1f6d28e553856654f/library/std/src/panicking.rs:293:9 10: 0x5a2561628b2f - std::panicking::rust_panic_with_hook::h1d911cf10ecc7e43 at /rustc/515395af0efdbdd657ff08a1f6d28e553856654f/library/std/src/panicking.rs:797:13 11: 0x5a25616287e3 - std::panicking::begin_panic_handler::{{closure}}::h5f828f72649fb5d3 at /rustc/515395af0efdbdd657ff08a1f6d28e553856654f/library/std/src/panicking.rs:664:13 12: 0x5a2561627569 - std::sys::backtrace::__rust_end_short_backtrace::ha0666bd495c11bc8 at /rustc/515395af0efdbdd657ff08a1f6d28e553856654f/library/std/src/sys/backtrace.rs:170:18 13: 0x5a25616284a4 - rust_begin_unwind at /rustc/515395af0efdbdd657ff08a1f6d28e553856654f/library/std/src/panicking.rs:662:5 14: 0x5a256164a713 - core::panicking::panic_fmt::h393e3dd80dd6b20b at /rustc/515395af0efdbdd657ff08a1f6d28e553856654f/library/core/src/panicking.rs:74:14 15: 0x5a25613ba3b8 - neqo_common::codec::Encoder::varint_len::he69e87fe03fef4d4 at /path/to/neqo/neqo-common/src/codec.rs:216:19 16: 0x5a2560fe742b - neqo_transport::packet::PacketBuilder::write_varint_frame::{{closure}}::hfe8060a639a615d8 at /path/to/neqo/neqo-transport/src/packet/mod.rs:400:27 17: 0x5a2560f63064 - core::iter::adapters::map::map_fold::{{closure}}::hb5bcf8b59dba6679 at /rustc/515395af0efdbdd657ff08a1f6d28e553856654f/library/core/src/iter/adapters/map.rs:88:28 18: 0x5a2560ee9a61 - <core::slice::iter::Iter<T> as core::iter::traits::iterator::Iterator>::fold::h23359fb99f72c267 at /rustc/515395af0efdbdd657ff08a1f6d28e553856654f/library/core/src/slice/iter/macros.rs:232:27 19: 0x5a2560f61ce9 - <core::iter::adapters::map::Map<I,F> as core::iter::traits::iterator::Iterator>::fold::hb2aeeac1cd10f2e6 at /rustc/515395af0efdbdd657ff08a1f6d28e553856654f/library/core/src/iter/adapters/map.rs:128:9 20: 0x5a2560f63678 - <usize as core::iter::traits::accum::Sum>::sum::h504084182f5db453 at /rustc/515395af0efdbdd657ff08a1f6d28e553856654f/library/core/src/iter/traits/accum.rs:50:17 21: 0x5a2560f62404 - core::iter::traits::iterator::Iterator::sum::h51da320164083910 at /rustc/515395af0efdbdd657ff08a1f6d28e553856654f/library/core/src/iter/traits/iterator.rs:3577:9 22: 0x5a2560f19fe5 - neqo_transport::packet::PacketBuilder::write_varint_frame::had81f5e136c86f0c at /path/to/neqo/neqo-transport/src/packet/mod.rs:398:16 23: 0x5a25610202a7 - neqo_transport::fc::ReceiverFlowControl<()>::write_frames::h61266ba7d1ddbb2b at /path/to/neqo/neqo-transport/src/fc.rs:331:12 24: 0x5a2560f452e8 - neqo_transport::streams::Streams::write_maintenance_frames::hd9dadc70f995189d at /path/to/neqo/neqo-transport/src/streams.rs:229:9 25: 0x5a256100ef6f - neqo_transport::connection::Connection::write_appdata_frames::hff8a641276e82743 at /path/to/neqo/neqo-transport/src/connection/mod.rs:2181:9 26: 0x5a2561010458 - neqo_transport::connection::Connection::write_frames::h172e50d73eec28dd at /path/to/neqo/neqo-transport/src/connection/mod.rs:2361:17 27: 0x5a2561011eb1 - neqo_transport::connection::Connection::output_path::h235e5dada61fd6aa at /path/to/neqo/neqo-transport/src/connection/mod.rs:2502:21 28: 0x5a2560fa2ed4 - neqo_transport::connection::Connection::output::{{closure}}::h2a57400a8b08133f at /path/to/neqo/neqo-transport/src/connection/mod.rs:2063:31 29: 0x5a2560ff4b5d - core::option::Option<T>::map_or_else::hefa996f437415c68 at /rustc/515395af0efdbdd657ff08a1f6d28e553856654f/library/core/src/option.rs:1210:24 30: 0x5a256100df08 - neqo_transport::connection::Connection::output::hded2c10498f6749b at /path/to/neqo/neqo-transport/src/connection/mod.rs:2060:35 31: 0x5a2561003748 - neqo_transport::connection::Connection::process_output::h3c83b7b42e4cb1ad at /path/to/neqo/neqo-transport/src/connection/mod.rs:1156:15 32: 0x5a2560c11f98 - neqo_transport::connection::Connection::process::h698d4780ae89eea0 at /path/to/neqo/neqo-transport/src/connection/mod.rs:1192:22 33: 0x5a2560c09ea7 - neqo_transport::server::Server::process_input::h35acf5806a30de9d at /path/to/neqo/neqo-transport/src/server.rs:376:20 34: 0x5a2560c0f05a - neqo_transport::server::Server::process::{{closure}}::h4270d692a3a278db at /path/to/neqo/neqo-transport/src/server.rs:486:39 35: 0x5a2560c44e3f - core::option::Option<T>::map_or::h12069e4bf0d76966 at /rustc/515395af0efdbdd657ff08a1f6d28e553856654f/library/core/src/option.rs:1164:24 36: 0x5a2560c0ef40 - neqo_transport::server::Server::process::he35d1041262904fa at /path/to/neqo/neqo-transport/src/server.rs:485:19 37: 0x5a2560c41ea4 - neqo_http3::server::Http3Server::process::hf5e3a85329ad8655 at /path/to/neqo/neqo-http3/src/server.rs:125:19 38: 0x5a2560c3f5b1 - <neqo_bin::server::http3::HttpServer as neqo_bin::server::HttpServer>::process::he71da29ead6ad071 at /path/to/neqo/neqo-bin/src/server/http3.rs:86:9 39: 0x5a2560bfd513 - neqo_bin::server::ServerRunner::process_inner::{{closure}}::hcf696368084b3fa9 at /path/to/neqo/neqo-bin/src/server/mod.rs:256:19 40: 0x5a2560bfdcb2 - neqo_bin::server::ServerRunner::read_and_process::{{closure}}::h1bf1fc5ddd60e7cf at /path/to/neqo/neqo-bin/src/server/mod.rs:299:18 41: 0x5a2560bfeaa9 - neqo_bin::server::ServerRunner::run::{{closure}}::h44f4447c86082662 at /path/to/neqo/neqo-bin/src/server/mod.rs:347:58 42: 0x5a2560c00daf - neqo_bin::server::server::{{closure}}::he36cc7418e2dd45a at /path/to/neqo/neqo-bin/src/server/mod.rs:443:10 43: 0x5a2560bf10eb - neqo_server::main::{{closure}}::h1eed091db164f826 at /path/to/neqo/neqo-bin/src/bin/server.rs:13:36 44: 0x5a2560bf157b - <core::pin::Pin<P> as core::future::future::Future>::poll::h3d0c3bcdaaabab4b at /rustc/515395af0efdbdd657ff08a1f6d28e553856654f/library/core/src/future/future.rs:123:9 45: 0x5a2560bf8a1e - tokio::runtime::scheduler::current_thread::CoreGuard::block_on::{{closure}}::{{closure}}::{{closure}}::hf32e93c5793fdffa at /home/john/.cargo/registry/src/index.crates.io-6f17d22bba15001f/tokio-1.43.1/src/runtime/scheduler/current_thread/mod.rs:729:57 46: 0x5a2560bf88f5 - tokio::runtime::coop::with_budget::h65ec4be0a176a434 at /home/john/.cargo/registry/src/index.crates.io-6f17d22bba15001f/tokio-1.43.1/src/runtime/coop.rs:107:5 47: 0x5a2560bf88f5 - tokio::runtime::coop::budget::h4c9c616a68887f1e at /home/john/.cargo/registry/src/index.crates.io-6f17d22bba15001f/tokio-1.43.1/src/runtime/coop.rs:73:5 48: 0x5a2560bf88f5 - tokio::runtime::scheduler::current_thread::CoreGuard::block_on::{{closure}}::{{closure}}::ha875dc9f51f3c7ac at /home/john/.cargo/registry/src/index.crates.io-6f17d22bba15001f/tokio-1.43.1/src/runtime/scheduler/current_thread/mod.rs:729:25 49: 0x5a2560bf5c1d - tokio::runtime::scheduler::current_thread::Context::enter::h93bbf67f6b90c21e at /home/john/.cargo/registry/src/index.crates.io-6f17d22bba15001f/tokio-1.43.1/src/runtime/scheduler/current_thread/mod.rs:428:19 50: 0x5a2560bf75bb - tokio::runtime::scheduler::current_thread::CoreGuard::block_on::{{closure}}::h7b498e296785792f at /home/john/.cargo/registry/src/index.crates.io-6f17d22bba15001f/tokio-1.43.1/src/runtime/scheduler/current_thread/mod.rs:728:36 51: 0x5a2560bf722b - tokio::runtime::scheduler::current_thread::CoreGuard::enter::{{closure}}::h7ca26ec97a4ac210 at /home/john/.cargo/registry/src/index.crates.io-6f17d22bba15001f/tokio-1.43.1/src/runtime/scheduler/current_thread/mod.rs:807:68 52: 0x5a2560bf075a - tokio::runtime::context::scoped::Scoped<T>::set::h927d9bdb0adff02c at /home/john/.cargo/registry/src/index.crates.io-6f17d22bba15001f/tokio-1.43.1/src/runtime/context/scoped.rs:40:9 53: 0x5a2560bf306a - tokio::runtime::context::set_scheduler::{{closure}}::h1bc65cb6e3fff864 at /home/john/.cargo/registry/src/index.crates.io-6f17d22bba15001f/tokio-1.43.1/src/runtime/context.rs:180:26 54: 0x5a2560c035b4 - std::thread::local::LocalKey<T>::try_with::hfec3d3b0cd3d4491 at /rustc/515395af0efdbdd657ff08a1f6d28e553856654f/library/std/src/thread/local.rs:283:12 55: 0x5a2560c02a0d - std::thread::local::LocalKey<T>::with::hc7a7960b53e66eab at /rustc/515395af0efdbdd657ff08a1f6d28e553856654f/library/std/src/thread/local.rs:260:9 56: 0x5a2560bf2fc1 - tokio::runtime::context::set_scheduler::ha59225e764947f93 at /home/john/.cargo/registry/src/index.crates.io-6f17d22bba15001f/tokio-1.43.1/src/runtime/context.rs:180:9 57: 0x5a2560bf6afe - tokio::runtime::scheduler::current_thread::CoreGuard::enter::h0d3c0db26969d5dd at /home/john/.cargo/registry/src/index.crates.io-6f17d22bba15001f/tokio-1.43.1/src/runtime/scheduler/current_thread/mod.rs:807:27 58: 0x5a2560bf7298 - tokio::runtime::scheduler::current_thread::CoreGuard::block_on::h55662df0ea8f6596 at /home/john/.cargo/registry/src/index.crates.io-6f17d22bba15001f/tokio-1.43.1/src/runtime/scheduler/current_thread/mod.rs:716:19 59: 0x5a2560bf4cbf - tokio::runtime::scheduler::current_thread::CurrentThread::block_on::{{closure}}::ha5b1990dd0841d43 at /home/john/.cargo/registry/src/index.crates.io-6f17d22bba15001f/tokio-1.43.1/src/runtime/scheduler/current_thread/mod.rs:196:28 60: 0x5a2560bf24f8 - tokio::runtime::context::runtime::enter_runtime::h73cde13fba8978c3 at /home/john/.cargo/registry/src/index.crates.io-6f17d22bba15001f/tokio-1.43.1/src/runtime/context/runtime.rs:65:16 61: 0x5a2560bf4988 - tokio::runtime::scheduler::current_thread::CurrentThread::block_on::h22a1c5bda317b17b at /home/john/.cargo/registry/src/index.crates.io-6f17d22bba15001f/tokio-1.43.1/src/runtime/scheduler/current_thread/mod.rs:184:9 62: 0x5a2560bf08a9 - tokio::runtime::runtime::Runtime::block_on_inner::h9467077ff100c62c at /home/john/.cargo/registry/src/index.crates.io-6f17d22bba15001f/tokio-1.43.1/src/runtime/runtime.rs:368:47 63: 0x5a2560bf0bee - tokio::runtime::runtime::Runtime::block_on::hd88e9ed8f146f085 at /home/john/.cargo/registry/src/index.crates.io-6f17d22bba15001f/tokio-1.43.1/src/runtime/runtime.rs:342:13 64: 0x5a2560c01ab8 - neqo_server::main::he92a6fc4b1bfa69e at /path/to/neqo/neqo-bin/src/bin/server.rs:13:5 65: 0x5a2560bf8e72 - core::ops::function::FnOnce::call_once::hfea84c30e7c47159 at /rustc/515395af0efdbdd657ff08a1f6d28e553856654f/library/core/src/ops/function.rs:250:5 66: 0x5a2560c02445 - std::sys::backtrace::__rust_begin_short_backtrace::hd4ffae83c75e45dc at /rustc/515395af0efdbdd657ff08a1f6d28e553856654f/library/std/src/sys/backtrace.rs:154:18 67: 0x5a2560bfcc36 - std::rt::lang_start::{{closure}}::he1c87708e28d5326 at /rustc/515395af0efdbdd657ff08a1f6d28e553856654f/library/std/src/rt.rs:164:18 68: 0x5a256161edb0 - core::ops::function::impls::<impl core::ops::function::FnOnce<A> for &F>::call_once::h49cb17a227232e8a at /rustc/515395af0efdbdd657ff08a1f6d28e553856654f/library/core/src/ops/function.rs:284:13 69: 0x5a256161edb0 - std::panicking::try::do_call::h4ec17dd43a7f552a at /rustc/515395af0efdbdd657ff08a1f6d28e553856654f/library/std/src/panicking.rs:554:40 70: 0x5a256161edb0 - std::panicking::try::h5bb9e6fcb9bcedd4 at /rustc/515395af0efdbdd657ff08a1f6d28e553856654f/library/std/src/panicking.rs:518:19 71: 0x5a256161edb0 - std::panic::catch_unwind::h0351d54cce54b394 at /rustc/515395af0efdbdd657ff08a1f6d28e553856654f/library/std/src/panic.rs:345:14 72: 0x5a256161edb0 - std::rt::lang_start_internal::{{closure}}::hbedf4aa2a5b26eb2 at /rustc/515395af0efdbdd657ff08a1f6d28e553856654f/library/std/src/rt.rs:143:48 73: 0x5a256161edb0 - std::panicking::try::do_call::h9861ac54db992cff at /rustc/515395af0efdbdd657ff08a1f6d28e553856654f/library/std/src/panicking.rs:554:40 74: 0x5a256161edb0 - std::panicking::try::h20bb8ca1f70b8b85 at /rustc/515395af0efdbdd657ff08a1f6d28e553856654f/library/std/src/panicking.rs:518:19 75: 0x5a256161edb0 - std::panic::catch_unwind::h8478447418590db8 at /rustc/515395af0efdbdd657ff08a1f6d28e553856654f/library/std/src/panic.rs:345:14 76: 0x5a256161edb0 - std::rt::lang_start_internal::h046989e7acc7e62e at /rustc/515395af0efdbdd657ff08a1f6d28e553856654f/library/std/src/rt.rs:143:20 77: 0x5a2560bfcc0a - std::rt::lang_start::h27d2d3a23086a896 at /rustc/515395af0efdbdd657ff08a1f6d28e553856654f/library/std/src/rt.rs:163:17 78: 0x5a2560c01b5e - main 79: 0x70e13d22a1ca - __libc_start_call_main at ./csu/../sysdeps/nptl/libc_start_call_main.h:58:16 80: 0x70e13d22a28b - __libc_start_main_impl at ./csu/../csu/libc-start.c:360:3 81: 0x5a2560beb925 - _start 82: 0x0 - <unknown> ``` Expected results: The expected result is normal processing of MAX_DATA data frames, so the max_active value in the initial state should be adjusted and set to a smaller value such as 0xffff