Explicitly disallow multi-packet CHLOs. Protected by FLAGS_quic_disallow_multi_packet_chlo, default…

net/quic/quic_packet_creator.cc

Index: net/quic/quic_packet_creator.cc
diff --git a/net/quic/quic_packet_creator.cc b/net/quic/quic_packet_creator.cc
index 686fed285aa346abec8bdbf36b73736f98e9583f..f0970cc2a094cfc747b8941af4c1682c25e68c81 100644
--- a/net/quic/quic_packet_creator.cc
+++ b/net/quic/quic_packet_creator.cc
@@ -8,6 +8,7 @@
 
 #include "base/logging.h"
 #include "base/macros.h"
+#include "net/quic/crypto/crypto_protocol.h"
 #include "net/quic/crypto/quic_random.h"
 #include "net/quic/quic_bug_tracker.h"
 #include "net/quic/quic_data_writer.h"
@@ -165,6 +166,21 @@ bool QuicPacketCreator::ConsumeData(QuicStreamId id,
     return false;
   }
   CreateStreamFrame(id, iov, iov_offset, offset, fin, frame);
+  // Explicitly disallow multi-packet CHLOs.
+  if (FLAGS_quic_disallow_multi_packet_chlo && id == kCryptoStreamId &&
+      frame->stream_frame->data_length >= sizeof(kCHLO) &&
+      strncmp(frame->stream_frame->data_buffer,
+              reinterpret_cast<const char*>(&kCHLO), sizeof(kCHLO)) == 0) {
+    DCHECK_EQ(0u, iov_offset);
+    if (frame->stream_frame->data_length < iov.iov->iov_len) {
+      const string error_details = "Client hello won't fit in a single packet.";
+      QUIC_BUG << error_details;
+      delegate_->OnUnrecoverableError(QUIC_CRYPTO_CHLO_TOO_LARGE, error_details,
+                                      ConnectionCloseSource::FROM_SELF);
+      delete frame->stream_frame;
+      return false;
+    }
+  }
   if (!AddFrame(*frame, /*save_retransmittable_frames=*/true)) {
     // Fails if we try to write unencrypted stream data.
     delete frame->stream_frame;