diff options
| author | David Lönnhager <david.l@mullvad.net> | 2025-09-18 13:23:14 +0200 |
|---|---|---|
| committer | David Lönnhager <david.l@mullvad.net> | 2025-09-18 17:20:49 +0200 |
| commit | c7385fc06254e84485de57e463385358dbda5b9f (patch) | |
| tree | 781c47c43346771b90fbc7de34d050b67c96616d | |
| parent | 72ec0d4db8fc0bd9fc468c06dd102c15e9cba501 (diff) | |
| download | mullvadvpn-c7385fc06254e84485de57e463385358dbda5b9f.tar.xz mullvadvpn-c7385fc06254e84485de57e463385358dbda5b9f.zip | |
Limit number of initial packets in multiplexer
| -rw-r--r-- | tunnel-obfuscation/src/multiplexer.rs | 11 |
1 files changed, 11 insertions, 0 deletions
diff --git a/tunnel-obfuscation/src/multiplexer.rs b/tunnel-obfuscation/src/multiplexer.rs index e7a70fa059..5239b23463 100644 --- a/tunnel-obfuscation/src/multiplexer.rs +++ b/tunnel-obfuscation/src/multiplexer.rs @@ -34,6 +34,9 @@ use crate::socket::create_remote_socket; const MAX_DATAGRAM_SIZE: usize = u16::MAX as usize; +/// Max number of initial outgoing packets to buffer for replaying to new transports +const MAX_INITIAL_PACKETS: usize = 100; + /// An obfuscator that manages multiple other obfuscators and automatically /// selects the first one that successfully establishes a connection. /// @@ -162,6 +165,14 @@ impl Multiplexer { } self.wg_addr = Some(from_addr); let pkt = &wg_recv_buf[..bytes_received]; + + if self.initial_packets_to_send.len() >= MAX_INITIAL_PACKETS { + // Initial packets should be handshake initiation packets, so we + // should not end up here if there's some reasonable timeout. + // If we do, fail so we don't use excessive memory. + return Err(io::Error::other("Too many initial packets")); + } + self.initial_packets_to_send.push(pkt.to_vec()); // Fan out latest WG packet to all currently spawned endpoints. |