Skip to content

fix: drop malformed TUN packets#132

Closed
tionis wants to merge 1 commit into
encodeous:mainfrom
tionis:drop-malformed-tun-packets
Closed

fix: drop malformed TUN packets#132
tionis wants to merge 1 commit into
encodeous:mainfrom
tionis:drop-malformed-tun-packets

Conversation

@tionis

@tionis tionis commented Jul 6, 2026

Copy link
Copy Markdown
Contributor

Traffic control parsed packets from the full message buffer and trusted the packet's advertised length. On Windows this could panic when the TUN read returned fewer bytes than an IPv6 payload length claimed, for example slicing 2050 bytes from a 2016-byte read.

Carry the actual TUN read length into TCElement.Packet, make ParsePacket reject packets whose advertised length exceeds the available bytes, and drop malformed packets instead of panicking.

Traffic control parsed packets from the full message buffer and trusted the packet's advertised length. On Windows this could panic when the TUN read returned fewer bytes than an IPv6 payload length claimed, for example slicing 2050 bytes from a 2016-byte read.

Carry the actual TUN read length into TCElement.Packet, make ParsePacket reject packets whose advertised length exceeds the available bytes, and drop malformed packets instead of panicking.
Copilot AI review requested due to automatic review settings July 6, 2026 19:53

Copilot AI left a comment

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

This PR hardens the traffic-control (TC) pipeline against malformed packets by ensuring packet parsing is bounded by the actual TUN read size and by rejecting packets whose advertised length exceeds available bytes, preventing slice panics (notably on Windows).

Changes:

  • Change TCElement.ParsePacket to return bool and reject packets whose advertised length exceeds the available bytes.
  • Carry the actual TUN read length into TCElement.Packet during RoutineReadFromTUN.
  • Add unit tests covering oversized advertised lengths and trimming to the advertised length.

Reviewed changes

Copilot reviewed 4 out of 4 changed files in this pull request and generated 1 comment.

File Description
polyamide/device/traffic_manip.go Makes packet parsing bounded and failure-aware (bool), adds header-length checks helper.
polyamide/device/traffic_manip_test.go Adds tests to verify oversized packets are rejected and valid packets are trimmed.
polyamide/device/traffic_control.go Drops malformed packets when ParsePacket fails (in addition to Validate).
polyamide/device/send.go Sets TCElement.Packet to the actual bytes read from TUN (bounded by sizes[i]).

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

Comment on lines 36 to +40
l := elem.GetLength()
elem.Packet = elem.Buffer[MessageTransportHeaderSize : MessageTransportHeaderSize+l]
if int(l) > len(elem.Packet) {
return false
}
elem.Packet = elem.Packet[:l]
@tionis

tionis commented Jul 6, 2026

Copy link
Copy Markdown
Contributor Author

I'm closing this to instead open a PR that combines all the small windows fixes I added.

@tionis tionis closed this Jul 6, 2026
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

2 participants