# HG changeset patch
# User Martin Duke <m.duke@f5.com>
# Date 1634029009 -10800
# Node ID b5296bd8631ce6563aa0d7b1441eee0814aacd41
# Parent  1ead7d64e9934c1a6c0d9dd3c5f1a3d643b926d6
QUIC: Check if CID has been used in stateless reset check

Section 10.3.1 of RFC9000 requires this check.

diff --git a/src/event/quic/ngx_event_quic.c b/src/event/quic/ngx_event_quic.c
--- a/src/event/quic/ngx_event_quic.c
+++ b/src/event/quic/ngx_event_quic.c
@@ -370,8 +370,11 @@ ngx_quic_process_stateless_reset(ngx_con
     {
         cid = ngx_queue_data(q, ngx_quic_client_id_t, queue);
 
-        if (cid->seqnum == 0) {
-            /* no stateless reset token in initial connection id */
+        if (cid->seqnum == 0 || cid->refcnt == 0) {
+            /*
+             * No stateless reset token in initial connection id.
+             * Don't accept a token from an unused connection id.
+             */
             continue;
         }