Skip to content

activator: fix tunnel ID leak on failed user activation#3265

Merged
snormore merged 1 commit intomainfrom
snor/fix-activator-tunnel-id-leak
Mar 16, 2026
Merged

activator: fix tunnel ID leak on failed user activation#3265
snormore merged 1 commit intomainfrom
snor/fix-activator-tunnel-id-leak

Conversation

@snormore
Copy link
Contributor

@snormore snormore commented Mar 15, 2026

Summary of Changes

  • Roll back eagerly-allocated resources (tunnel_id, tunnel_net, dz_ip, publisher_dz_ip) when Pending user activation fails, preventing ghost tunnel IDs from accumulating in the in-memory device state allocator
  • Extract DeviceState::release_dz_ip() to allow releasing dz_ip independently of tunnel_id during rollback

Diff Breakdown

Category Files Lines (+/-) Net
Core logic 2 +75 / -4 +71
Tests 1 +360 / -0 +360
Docs 1 +1 / -0 +1

~83% of the diff is tests.

Key files (click to expand)
  • activator/src/process/user.rs — add rollback of tunnel_id, tunnel_net, dz_ip, and publisher_dz_ip in 4 error paths within the Pending activation handler; add 5 rollback tests via shared helper
  • activator/src/states/devicestate.rs — extract release_dz_ip() from release() so dz_ip can be freed independently of tunnel_id
  • CHANGELOG.md — add entry for tunnel ID leak fix

Testing Verification

  • 5 new tests covering all rollback paths: transaction failure for IBRL, IBRLWithAllocatedIP, and multicast publisher; invalid tunnel endpoint rejection; dz_ip pool exhaustion
  • All 73 activator tests pass, clippy and rustfmt clean

@snormore
activator: fix tunnel ID leak on failed user activation
4a95095 
When a Pending user activation fails (transaction error, race condition,
tunnel endpoint rejection, or dz_ip exhaustion), the eagerly-allocated
tunnel_id, tunnel_net, and dz_ip were never rolled back. These ghost IDs
accumulated in the in-memory device_state.tunnel_ids allocator, eventually
pushing new allocations past the controller's tunnel slot range and
preventing tunnel config from being pushed to devices.

Roll back all eagerly-allocated resources (tunnel_id, tunnel_net, dz_ip,
publisher_dz_ip) in every error/early-return path within the Pending
activation handler. Extract DeviceState::release_dz_ip() to allow
releasing dz_ip independently of tunnel_id during rollback.
@snormore snormore marked this pull request as ready for review March 15, 2026 21:08
@snormore snormore requested a review from elitegreg as a code owner March 15, 2026 21:08
@juan-malbeclabs
Copy link
Contributor

juan-malbeclabs commented Mar 15, 2026
edited
Loading

@greg, It would be good if you could take a look too.

@snormore snormore merged commit c196003 into main Mar 16, 2026
30 checks passed
@snormore snormore deleted the snor/fix-activator-tunnel-id-leak branch March 16, 2026 16:17
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@elitegreg elitegreg elitegreg approved these changes

@juan-malbeclabs juan-malbeclabs juan-malbeclabs approved these changes

@martinsander00 martinsander00 Awaiting requested review from martinsander00

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@snormore @juan-malbeclabs @elitegreg