fix(connlib): don't attempt to encrypt too large packets by thomaseizinger · Pull Request #7263 · firezone/firezone

thomaseizinger · 2024-11-05T03:16:47Z

When encrypting packets, we need to reserve a buffer within which boringtun will encrypt the IP packet. Unfortunately, boringtun panics if that buffer is not big enough which essentially brings all of connlib down.

Really, we should never see a packet that is too large and ideally, we enforce this at compile-time by creating different variants of IpPacket that are sized accordingly. That is a large refactoring so until then, we simply discard them instead of panicking.

vercel · 2024-11-05T03:16:50Z

The latest updates on your projects. Learn more about Vercel for Git ↗︎

Name	Status	Preview	Comments	Updated (UTC)
firezone	✅ Ready (Inspect)	Visit Preview	💬 Add feedback	Nov 5, 2024 4:04am

Co-authored-by: Jamil <jamilbk@users.noreply.github.com> Signed-off-by: Thomas Eizinger <thomas@eizinger.io>

thomaseizinger requested review from conectado and jamilbk November 5, 2024 03:16

thomaseizinger enabled auto-merge November 5, 2024 03:16

vercel Bot deployed to Preview November 5, 2024 03:20 View deployment

thomaseizinger added 2 commits November 5, 2024 14:25

Don't attempt to encrypt packets larger than our MTU

ddfd824

Add changelog entries

d7c7190

thomaseizinger force-pushed the fix/no-panic-too-large-packets branch from 5f6d535 to d7c7190 Compare November 5, 2024 03:25

vercel Bot deployed to Preview November 5, 2024 03:26 View deployment