Do not use untrusted largest_ack

[mxinden]

Note that this pull request does not consider the remote behavior as malicious. It simply ignores the largest ACK, if it doesn't correspond to a packet previously sent.

[larseggert]

Thanks for this! But I think receiving an ACK for an unsent packet is absolutely an error.

We used to have this code, but it seems like it got dropped at some point:
https://github.com/mozilla/neqo/blob/c112ddf18975c1263878899ab2098f8736ecd589/neqo-transport/src/connection.rs#L997-L1010

CC @martinthomson in case he remembers details.

[mxinden]

That makes sense @larseggert.

What do you think of the latest commit?

This pull request now:

• Moves the check from handle_ack up into input_frame. In other words, errors as early as possible.
• No longer passes largest_acked to handle_ack, given that the information itself is already embedded in the handle_ack argument ack_ranges.

[mxinden]

We used to have this code, but it seems like it got dropped at some point: https://github.com/mozilla/neqo/blob/c112ddf18975c1263878899ab2098f8736ecd589/neqo-transport/src/connection.rs#L997-L1010

For what it is worth, this is the commit removing the handling logic. Unfortunately it is not tied to a pull request. Thus I am not sure whether there was a reason behind removing it, or whether it was an oversight.

mozilla@3a26fae