fix: break out of reading from the association if we can't get to rel…

…ay (#245) * fix: return early on failure to upgrade * fix: add `ERR_READ` connection errors to track non-closure errors * Close the association on invalid ciphers and packets to release resources. * Break out of the association `Read()` loop on non-close read errors. * Add `nil` checks. * Simplify breaking out of the read loop for all initial packet errors. * Simplify further by just checking the `targetConn`. * Remove unnecessary `clientConn.Close()`. * Improve comment slightly.
Jigsaw-Code · Feb 27, 2025 · 9621558 · 9621558
1 parent 76c20d6
commit 9621558
Showing 1 changed file with 10 additions and 0 deletions.
diff --git a/service/udp.go b/service/udp.go
@@ -170,6 +170,11 @@ func (h *associationHandler) HandleAssociation(ctx context.Context, clientConn n
 		var proxyTargetBytes int
 
 		connError := func() *onet.ConnectionError {
+			// Error from `clientConn.Read()`.
+			if err != nil {
+				return onet.NewConnectionError("ERR_READ", "Failed to read from association", err)
+			}
+
 			var payload []byte
 			var tgtUDPAddr *net.UDPAddr
 			if targetConn == nil {
@@ -233,6 +238,11 @@ func (h *associationHandler) HandleAssociation(ctx context.Context, clientConn n
 			status = connError.Status
 		}
 		assocMetrics.AddPacketFromClient(status, int64(clientProxyBytes), int64(proxyTargetBytes))
+		if targetConn == nil {
+			// If there's still no target connection, we didn't authenticate. Break out of handling the
+			// association here so resources can be released.
+			break
+		}
 	}
 }